Doge Oss Upload
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a purpose-aligned DogeCloud OSS uploader, but users should notice that it uses DogeCloud access keys, installs Python dependencies, and can make uploaded files publicly reachable.
Install only if you intend to upload selected local files to DogeCloud OSS and create public link candidates. Configure least-privilege DogeCloud credentials, avoid OSS_FULL unless necessary, verify the file and target object key before uploading, and use a trusted Python environment for the dependencies.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with powerful DogeCloud keys, the skill can use those credentials to obtain upload tokens and interact with the configured bucket.
The skill requires DogeCloud account credentials and bucket configuration to request temporary upload credentials. This is expected for DogeCloud OSS uploads, but it gives the script delegated cloud account authority.
`accessKey` / `DOGECLOUD_ACCESS_KEY`; `secretKey` / `DOGECLOUD_SECRET_KEY`; `bucket` / `DOGECLOUD_BUCKET`
Use least-privilege DogeCloud keys where possible, prefer the default OSS_UPLOAD channel, and avoid sharing broad account credentials with unnecessary agents or environments.
A broad scope or OSS_FULL setting could grant more temporary authority than needed for a single upload.
The uploader can request scoped temporary credentials and supports broader explicit options such as wildcard scope or OSS_FULL. The default is narrower upload-only behavior, so this is a user-notice item rather than a concern.
parser.add_argument("--scope", help="Scope key for tmp token. Defaults to the final object key. Supports wildcard like uploads/*.") ... choices=["OSS_UPLOAD", "OSS_FULL"]Keep the default OSS_UPLOAD channel and default single-object scope unless there is a clear reason to broaden access.
The installed package versions may differ between runs and depend on the current package index state.
The setup instructions install unpinned third-party Python packages. These dependencies are expected for S3-compatible upload and HTTP API calls, but unpinned installs can change over time.
python3 -m pip install -U boto3 requests
Install dependencies in a virtual environment and consider pinning trusted versions of boto3 and requests for reproducible use.