📦 Local File Sender — 本地文件秒传
v1.0.2自然语言指定本地路径,一键上传至云存储并返回下载链接,兼容 Windows/Linux/macOS,仅本地 OpenClaw 可用。
0· 87·0 当前·0 累计
by @2656255594下载技能包
最后更新
2026/4/11
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill does what it says (uploads local files and returns links), but it also can upload any file you point it at to an external service whose ownership/configuration is not documented. Before installing or using: 1) only enable this on a trusted local deployment (not cloud); 2) ask the skill developer/operator: where are files uploaded, who controls the storage, are links public, what is retention/expiration, and are credentials required; 3) require an explicit user confirmation step before...详细分析 ▾
✓ 用途与能力
The name/description (send local files to cloud storage and return a link) matches the SKILL.md steps: extract path, check file exists, call lightclaw_upload_file with the path, then send the link. The declared requirement 'deployment: local' is appropriate. The referenced tool lightclaw_upload_file is consistent with the stated goal, though its provenance is not described.
⚠ 指令范围
Runtime instructions explicitly run shell commands (Test-Path / ls) and upload whatever path the user supplies. There are no explicit safeguards: no confirmation step, no whitelisting/blacklisting of sensitive locations, no size/content validation beyond a generic 'file too large' message. Because the skill will accept arbitrary paths and upload them to an external service, it can unintentionally exfiltrate sensitive local files if misused or invoked without clear user consent.
✓ 安装机制
Instruction-only skill with no install spec or code files — lowest install risk. Nothing is written to disk by the skill itself according to provided metadata.
⚠ 凭证需求
No environment variables or credentials are declared, yet the SKILL.md relies on a tool (lightclaw_upload_file) that will upload files to a cloud service and return public links (example domain shown). The skill does not document who controls the upload endpoint, what credentials or API keys are used, or whether uploads are private. The absence of declared credentials or configuration for the upload service is a gap and makes it impossible to verify proportionality or trustworthiness of the destination.
ℹ 持久化与权限
The skill is not always-enabled and is user-invocable, which is normal. However, since the platform allows autonomous invocation by default, combining that with an ability to read local paths and upload them externally increases potential blast radius — consider restricting autonomous invocation or requiring explicit confirmation before any upload.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/4/10
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install local-file-sender
镜像加速npx clawhub@latest install local-file-sender --registry https://cn.longxiaskill.com