📦 Giggle Files Management — 文件托管
v0.2.0一键上传文件至 Giggle 资源服务,即时获取公开或下载直链,方便分享与集成。
0· 285·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it says (get a presigned URL, upload to S3, register the asset), but a few things to consider before installing:
- The SKILL.md insists the agent should 'always upload' files it needs to send. That policy can lead to accidental upload of sensitive files (credentials, configs, private documents) if the agent reads them for context. Only allow the skill when you trust the agent's file-access rules and the Giggle service.
- The doc claims it can read ~/.openclaw/openc...详细分析 ▾
ℹ 用途与能力
Name, description, required binaries (curl, jq), and primaryEnv (GIGGLE_ASSET_SERVICE_KEY) align with a simple upload-to-asset-service skill. The included upload.sh implements presign → PUT → register flow against api.giggle.pro/S3 which matches the stated purpose.
⚠ 指令范围
SKILL.md instructs the agent to 'always upload' any file it needs to show or send and to upload files read via a 'read' tool. That blanket directive can cause accidental uploading of sensitive or private files the agent might read for context. SKILL.md also claims fallback resolution via ~/.openclaw/openclaw.json, but the shipped script only reads environment variables (GIGGLE_ASSET_SERVICE_KEY, STORYCLAW_API_KEY) and does not read that file — an inconsistency between the runtime instructions and the actual script.
✓ 安装机制
No install spec; only an instruction file and a single shell script are provided. No external archives or downloads are performed during install. This is low-risk from an installation perspective.
ℹ 凭证需求
The skill declares a single primary credential (GIGGLE_ASSET_SERVICE_KEY), which is appropriate. SKILL.md mentions a fallback STORYCLAW_API_KEY and a config file path, but registry metadata did not declare STORYCLAW_API_KEY and the script only checks the two env vars. This minor mismatch should be clarified but is not, by itself, a severe overreach.
✓ 持久化与权限
The skill is not always-included (always:false) and does not request system-wide configuration changes. It can be invoked by the agent (disable-model-invocation:false), which is the normal behavior for skills.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.02026/3/6
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install giggle-files-management
镜像加速npx clawhub@latest install giggle-files-management --registry https://cn.longxiaskill.com