Doge Oss Upload
v0.1.0Upload a local file to DogeCloud OSS (DogeCloud 对象存储) and return a public URL + metadata. Use when the user asks to “upload to doge/dogecloud”, “生成公网链接”, “把截...
⭐ 0· 289·0 current·0 all-time
by青玉白露@white0dew
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (upload a local file to DogeCloud OSS) matches the included script and instructions: the script calls DogeCloud APIs and uploads via a temporary S3-style token. However the registry metadata claims "Required env vars: none" and "Primary credential: none" while SKILL.md, README, and the script require several environment variables (accessKey/secretKey/bucket/endpoint/prefix/publicBaseUrl). That mismatch is an incoherence in packaging/metadata.
Instruction Scope
Runtime instructions are narrowly scoped to uploading a local file: they read a local file, call DogeCloud API endpoints (https://api.dogecloud.com/*) to list buckets and request a temporary token, and then upload via boto3 to the returned s3Endpoint. The SKILL.md and script do not attempt to read unrelated system files or call unrelated external endpoints.
Install Mechanism
There is no install spec (instruction-only skill plus a bundled Python script). The SKILL.md instructs installing Python deps with pip (boto3, requests) which is common and expected. Because the package includes an executable script that will be run locally, confirm you trust this specific script before running pip and executing it, but the install mechanism itself is standard and not using arbitrary download URLs.
Credentials
The credentials and env vars the script requires (accessKey/secretKey/DOGECLOUD_BUCKET/ENDPOINT/PREFIX/ PUBLIC_BASE_URL) are appropriate for uploading to DogeCloud, but the package metadata does not declare them. That omission is problematic because a user or automated system might not realize they will need to provide secrets. Also be careful: the script encourages using permanent AccessKey/SecretKey server-side, but running this locally (or handing these to an agent) will expose permanent credentials unless you follow the temporary-token flow; prefer least-privilege keys and short TTLs.
Persistence & Privilege
The skill does not request permanent platform presence (always:false) and does not modify other skills or global agent settings. It will run as invoked and can be invoked autonomously (default), which is expected for skills; no extra privileges are requested.
What to consider before installing
This appears to be a genuine DogeCloud OSS uploader script, but the package metadata incorrectly omits the env vars and credentials it needs. Before installing or running: (1) review the bundled script yourself (it’s included) and confirm the DogeCloud API host (https://api.dogecloud.com) is correct for your use; (2) do not hand over high-privilege or long-lived keys—create a limited-scope key or use the script’s temporary-token (OSS_UPLOAD) flow with short TTLs; (3) prefer setting only minimally-scoped credentials in a safe environment (server-side if possible) rather than exposing them to an automated agent you don’t fully control; (4) if you plan to let the agent invoke the skill autonomously, be explicit about which credentials will be available to it and consider removing permanent keys from the agent environment; (5) ask the skill author/maintainer to fix the registry metadata to declare required env vars so packaging and permissions are transparent.Like a lobster shell, security has layers — review code before you run it.
latestvk97fe45brv32kks3qzmpdpgdv581yzn1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3