ClawHub

openclaw-oss-skills

v1.0.0

Upload generated artifacts from an OpenClaw workspace to an Alibaba Cloud OSS bucket using credentials from environment variables, then return a temporary si...

1· 27·1 current·1 all-time
by@zhenghuanluck

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhenghuanluck/openclaw-oss-skills.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "openclaw-oss-skills" (zhenghuanluck/openclaw-oss-skills) from ClawHub.
Skill page: https://clawhub.ai/zhenghuanluck/openclaw-oss-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: OSS_ACCESS_KEY_ID, OSS_ACCESS_KEY_SECRET, OSS_BUCKET, OSS_ENDPOINT
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-oss-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-oss-skills
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the required binaries (python3), Python dependency (oss2), and the OSS-related environment variables (OSS_ACCESS_KEY_ID, OSS_ACCESS_KEY_SECRET, OSS_BUCKET, OSS_ENDPOINT). Required items are proportional to the stated upload-and-sign purpose.
Instruction Scope
SKILL.md instructs the agent to run the included Python uploader on explicit local paths and to return the signed URL. The instructions only reference environment variables and files relevant to uploading; they do not request unrelated system files or credentials.
Install Mechanism
Install steps are limited to installing Python (brew formula) and the oss2 Python SDK (uv / pip). No downloads from untrusted personal URLs or extract-from-arbitrary-archives occur.
Credentials
Environment variables requested are OSS-specific (access key/secret, bucket, endpoint, and optional STS token, prefix, expires, public endpoint, CNAME flag). The credentials requested are necessary for the upload and signing operations and are not excessive.
Persistence & Privilege
always is false and the skill is user-invocable; agents/openai.yaml allows implicit invocation (allow_implicit_invocation: true) which is expected for an upload skill but means the agent may call this skill automatically when relevant. The script creates temporary zip archives in the system temp directory and does not delete them after upload, so temporary artifacts may remain on disk.
Assessment
This skill appears to do exactly what it says: zip local files (if needed), upload them to an Alibaba Cloud OSS bucket, and return a signed download URL. Before installing or using it: - Only provide OSS credentials that are scoped appropriately (least privilege) — ideally limited to the specific bucket and put/get permissions, or use short-lived STS tokens. - Review OSS_ENDPOINT and OSS_PUBLIC_ENDPOINT values to ensure uploads and returned links point where you expect (no unexpected CNAMEs). - Be aware the script will create a zip in the system temp directory for multi-file uploads and does not remove it after success; clean up if that matters. - If you don't want automatic uploads, restrict implicit invocation or require explicit user action before running the skill. - Verify uploaded content before sharing signed links and consider using a short OSS_EXPIRES value when appropriate.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

☁️ Clawdis
Binspython3
EnvOSS_ACCESS_KEY_ID, OSS_ACCESS_KEY_SECRET, OSS_BUCKET, OSS_ENDPOINT
Primary envOSS_ACCESS_KEY_ID

Install

Install Python 3
Bins: python3
brew install python@3
Install Alibaba Cloud OSS Python SDKuv tool install oss2
latestvk97d06bzdtck3jqv6c23ch4h9d85q1bb
27downloads
1stars
1versions
Updated 9h ago
v1.0.0
MIT-0
@zhenghuanluck
latest
Download

OpenClaw OSS Artifact

Use this skill after creating a file, directory, or set of files that the user needs to download from an OSS signed URL.

Requirements

Credentials and defaults come from environment variables:

  • OSS_ACCESS_KEY_ID (required)
  • OSS_ACCESS_KEY_SECRET (required)
  • OSS_BUCKET (required)
  • OSS_ENDPOINT (required, for example https://oss-cn-hangzhou.aliyuncs.com)
  • OSS_STS_TOKEN (optional, for temporary credentials)
  • OSS_PREFIX (optional, object key prefix; default openclaw-artifacts)
  • OSS_EXPIRES (optional, signed URL lifetime in seconds; default 3600)
  • OSS_PUBLIC_ENDPOINT (optional, endpoint used in the returned URL if it differs from upload endpoint)
  • OSS_IS_CNAME (optional, set to 1 when the endpoint is a custom OSS CNAME)

The access key must have permission to put objects into the configured bucket and read them through signed URLs. The uploader uses the Alibaba Cloud oss2 Python SDK. If it is not installed, install it with python3 -m pip install oss2.

Workflow

  1. Finish generating the artifact locally.
  2. Confirm the local artifact path exists.
  3. Run the bundled uploader:
python3 skills/openclaw-oss-skills/scripts/upload_to_oss.py /absolute/path/to/artifact

For multiple files or a directory, pass each path. The script automatically creates a zip archive before upload:

python3 skills/openclaw-oss-skills/scripts/upload_to_oss.py /path/to/file-a.pdf /path/to/output-dir

If the skill folder is the current directory, run the script directly:

python3 scripts/upload_to_oss.py /absolute/path/to/artifact
  1. Return the download_url shown by the script to the user as a Markdown link. Mention the expiration time if the user may need to know it.

Options

  • --object-key <key>: upload with an explicit OSS object key. Use only for a single file.
  • --prefix <prefix>: override OSS_PREFIX.
  • --bucket <bucket>: override OSS_BUCKET.
  • --endpoint <endpoint>: override OSS_ENDPOINT.
  • --public-endpoint <endpoint>: override OSS_PUBLIC_ENDPOINT.
  • --expires <seconds>: override OSS_EXPIRES.
  • --json: print machine-readable JSON only.

Output Contract

The script prints:

  • object_key: object path inside the bucket
  • download_url: signed URL for direct download
  • expires_at: ISO-8601 UTC expiration time
  • source: uploaded local file or temporary zip path

In the final answer, include the signed link and keep the local path available for debugging if upload fails.

Comments

Loading comments...