ClawHub

Qiniu Upload

v1.0.2

将本地文件(图片、HTML 等)上传到七牛云存储,返回可在线访问的 URL。 Use when: 用户需要把生成的图片、HTML 页面或任意文件上传到云端以便分享链接;用户说「上传到七牛」「生成图片并上传」「把这个 HTML 上传到网上」。 NOT for: 上传到其他云存储(如 S3、OSS);仅生成文件不分享链接。

0· 158·0 current·0 all-time
bytianshu@wangshengli0421
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (upload to Qiniu) match the actual requirements and behavior: the skill needs Qiniu Access/Secret keys, bucket and domain, and its script uploads a local file to the specified bucket and returns the CDN URL. Requested env vars are appropriate for Qiniu integration.
Instruction Scope
SKILL.md instructs the agent to run a local Node script against a provided file path and to return the resulting URL. The instructions only reference the declared env vars and the local upload script; they do not request other system files or unrelated credentials.
Install Mechanism
No formal install spec is declared in the registry (instruction-only), but the package includes a package.json that depends on the public 'qiniu' npm package and README instructs running 'npm install'. This is not inherently malicious but means the user/agent must run npm install manually (the skill will fail until dependencies are installed). Using a public npm package is normal but carries usual supply-chain considerations.
Credentials
The skill requires QINIU_ACCESS_KEY, QINIU_SECRET_KEY, QINIU_BUCKET, QINIU_DOMAIN (and optionally QINIU_PREFIX). These are proportionate and expected for uploading to Qiniu. No unrelated secrets or multiple external service credentials are requested.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system-wide settings, and has no special persistence requirements. It runs a local script and returns a URL.
Assessment
This skill appears to do exactly what it claims: upload a local file to Qiniu and print the public URL. Before installing/use: (1) Only provide Qiniu credentials that you trust — these keys can allow access to your bucket; prefer a bucket with restrictive permissions or short-lived/upload-only credentials if possible. (2) The skill has a dependency on the public 'qiniu' npm package; run 'npm install' in the skill directory as instructed and verify the dependency/version if you have supply-chain concerns. (3) The registry entry does not include an automated install step, so the agent or you must ensure the Node environment and dependencies are present. (4) Review QINIU_DOMAIN and QINIU_PREFIX to avoid publishing sensitive local files publicly. If you need more assurance, inspect the upload.js file yourself (it is short and straightforward) before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a9fjtwcfgbkyn15009xxea5834545

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvQINIU_ACCESS_KEY, QINIU_SECRET_KEY, QINIU_BUCKET, QINIU_DOMAIN
Primary envQINIU_ACCESS_KEY

Comments