Tmpfiles Upload
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill does what it says—uploading files to tmpfiles.org and sharing links—but users should avoid uploading sensitive files because the links are public while active.
Install only if you are comfortable using tmpfiles.org for temporary public file links. Before uploading, verify the file is non-sensitive and intended to be shared, and double-check the messaging recipient.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong local file is selected, it could be uploaded and exposed through a temporary public link.
The skill instructs the agent to read a local file and upload it to an external service. This is central to the stated purpose, but the user should ensure the selected file is intended for sharing.
with open('/path/to/file.png', 'rb') as f:
r = requests.post('https://tmpfiles.org/api/v1/upload', files={'file': f})Confirm the exact file path and recipient before using the skill, and do not use it for sensitive or confidential files.
Anyone with the generated link may be able to access the uploaded file until it expires.
The artifact clearly discloses that uploaded files are publicly accessible while the link is active, which is an important data-boundary consideration for a third-party file-sharing workflow.
- Files are publicly accessible while active - Not suitable for sensitive/permanent storage
Use only for non-sensitive temporary sharing, and prefer a private authenticated sharing method for confidential material.