ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

rustfs-upload

v1.0.0

上传图片/文件到 RustFS 对象存储,返回公开访问链接。当用户说"上传到 rustfs"、"rustfs 图床"、"用 rc 上传"时触发。

0· 64·0 current·0 all-time
by@wzwei1990

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wzwei1990/rustfs-upload.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "rustfs-upload" (wzwei1990/rustfs-upload) from ClawHub.
Skill page: https://clawhub.ai/wzwei1990/rustfs-upload
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install rustfs-upload

ClawHub CLI

Package manager switcher

npx clawhub@latest install rustfs-upload
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included script: it uploads files to a RustFS (S3-compatible) endpoint via the 'rc' CLI. However the registry metadata advertised no required env vars or binaries, while SKILL.md and the script require RUSTFS_* environment variables and the 'rc' client. This mismatch is inconsistent with the stated packaging.
Instruction Scope
SKILL.md instructs running the included upload.sh and documents the exact env vars the script reads. The script only performs upload-related actions (checking file exists, setting/using an rc alias, creating the bucket if missing, copying the file, and printing a public URL). It does modify the user's rc alias configuration (rc alias set) and will create buckets; these side effects are within upload scope but should be made explicit to users.
Install Mechanism
There is no installer or third-party download; this is an instruction-only skill with one bundled shell script. Nothing is fetched from external URLs or written to arbitrary system locations by an installer.
!
Credentials
The script legitimately needs endpoint, access key, secret key, bucket, and public domain values. But the registry metadata did not declare any required env vars or config paths; instead the SKILL.md and script require sensitive variables (RUSTFS_ACCESS_KEY / RUSTFS_SECRET_KEY) and may persist them into rc's alias/config. Requesting and persisting secret keys is proportionate to the task but is sensitive and should be declared up front.
Persistence & Privilege
The skill is not always-enabled and can be invoked by the user. However the script will set an rc alias named 'rustfs-temp' (overwriting or creating entries in the user's rc config) and may create buckets. Modifying the rc client configuration and persisting credentials is a non-trivial side effect that users should be aware of.
What to consider before installing
This skill appears to do what it claims, but review the following before installing: - The registry metadata omits required env vars and binaries; SKILL.md and the script actually require the 'rc' CLI and RUSTFS_* environment variables. Expect to provide a sensitive Access Key and Secret Key. - The script will call 'rc alias set' and may create/overwrite an alias named 'rustfs-temp' in your rc configuration, potentially persisting secrets to disk. If you don't want credentials stored, provide short-lived or limited-scope keys, or inspect/modify the script to avoid alias creation. - The script will create buckets if missing and will construct a public URL using RUSTFS_PUBLIC_DOMAIN; confirm that PUBLIC_DOMAIN is correct and you understand the uploaded objects will be publicly addressable. - Origin is unknown. If you trust this skill, test it first with a disposable account/bucket and non-production credentials, and review the script (scripts/upload.sh) yourself. If you require stronger guarantees, request the publisher to update package metadata to declare the required env vars, binaries, and the fact that rc config will be modified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97569kpns2vce034w5bxst90n84tz54
64downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@wzwei1990
latest
Download

rustfs-upload - RustFS 图床上传

使用 rc 命令行工具上传文件到 RustFS(或兼容 S3 的对象存储),并返回拼接后的公开访问 URL。

前置环境变量

在调用本技能前,请确保以下环境变量已正确设置:

变量名说明示例
RUSTFS_ENDPOINTRustFS 服务地址http://127.0.0.1:9000
RUSTFS_ACCESS_KEYAccess Keyyour-access-key
RUSTFS_SECRET_KEYSecret Keyyour-secret-key
RUSTFS_BUCKET目标存储桶名称my-bucket
RUSTFS_PUBLIC_DOMAIN公开访问域名(用于拼接 URL)http://127.0.0.1:9001

若未设置,脚本会尝试从默认配置文件中读取(~/.config/rc/config.toml)。

触发场景

  • "上传到 rustfs"
  • "rustfs 图床上传这张图"
  • "用 rc 传一下这个文件"
  • "rc upload"

使用方式

bash ~/.openclaw/skills/rustfs-upload/scripts/upload.sh /path/to/image.png

输出

成功后返回 JSON:

{
  "url": "http://127.0.0.1:9001/my-bucket/filename.png",
  "bucket": "my-bucket",
  "object": "filename.png",
  "size": "377716",
  "endpoint": "http://127.0.0.1:9000"
}

依赖

  • rc —— RustFS 命令行客户端

  • jq —— JSON 解析工具(可选,用于格式化输出)

不做什么

  • 不编辑图片(裁剪、压缩等)
  • 不提供批量上传
  • 不提供图片管理功能
  • 不提供删除功能(图片会自动过期)

Comments

Loading comments...