Cloudflare R2 CLI
v1.0.6Minimal Python CLI for secure upload, download, list, and delete operations on Cloudflare R2 storage using AWS Signature V4 authentication.
⭐ 0· 501·0 current·0 all-time
byWeb3 Hungry@zororaka00
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (Cloudflare R2 CLI) matches the code and instructions (upload/download/list/delete using AWS SigV4). However the registry metadata at the top of the provided manifest claims no required env vars/binaries while SKILL.md and the code require five sensitive environment variables (account id, access key id, secret, bucket, region). This metadata mismatch is incoherent and could cause automated platforms to mis-handle secrets or permissions.
Instruction Scope
SKILL.md instructs the user to set and verify environment variables and to install defusedxml if missing; those instructions stay within the stated purpose. One operational detail: the code reads required environment variables at import time and exits if they are missing, which means simply loading or invoking the skill without env vars will terminate the process — this is a behavior the runtime should be aware of but is not inherently malicious.
Install Mechanism
This is an instruction-only skill with no install spec and a single Python file. It uses defusedxml (recommended to be pip-installed). No downloads from untrusted URLs or archives are present; installation risk is low.
Credentials
The skill legitimately requires Cloudflare R2 credentials (ACCESS_KEY_ID and SECRET_ACCESS_KEY, account id, bucket). Those sensitive env vars are appropriate for the stated functionality. The concern is the inconsistent registry metadata (claims no required envs) which could hide or misrepresent the need to provide secrets to the runtime. The number and type of env vars requested are otherwise proportionate to the task.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not modify other skills or system-wide settings. Model invocation is allowed (default) but combined with the other findings does not by itself raise a privilege concern.
What to consider before installing
This skill appears to be a straightforward R2 CLI, but be careful: the registry metadata claims no required env vars while the SKILL.md and r2.py require five sensitive environment variables (account ID, access key ID, secret, bucket, region). Before installing or enabling this skill:
- Treat CF_R2_ACCESS_KEY_ID and CF_R2_SECRET_ACCESS_KEY as sensitive credentials and provide them via a secure secret manager or ephemeral environment, not in persistent config or code.
- Confirm the platform/registry entry is updated to declare required env vars so secrets aren't accidentally omitted or exposed by automation.
- Test the script in a non-production environment first (it reads env vars at import and will exit if they are missing).
- Review that the ACCOUNT_ID you supply will result in requests to *.r2.cloudflarestorage.com (the code enforces this host).
- If you need least-privilege, create an access key limited to the specific bucket and operations required.
If the metadata mismatch was intentional or you cannot confirm origin/trustworthiness of the skill source, do not provide production credentials.Like a lobster shell, security has layers — review code before you run it.
cloudflarevk97fnzaxydj1rby9eddbxj783n81jt67latestvk97fnzaxydj1rby9eddbxj783n81jt67pythonvk97fnzaxydj1rby9eddbxj783n81jt67r2vk97fnzaxydj1rby9eddbxj783n81jt67storagevk97fnzaxydj1rby9eddbxj783n81jt67
License
MIT-0
Free to use, modify, and redistribute. No attribution required.