by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill performs MinIO uploads and needs MINIO_* credentials — make sure you only provide scoped, short-lived credentials for the specific bucket. Note the registry metadata omits the required environment variables; confirm and correct that before installing. The README promises rich Markdown previews and automatic download-from-URL behavior, but the bundled script only uploads a local file and prints a presigned URL (or a small JSON blob) — if you need the promised Markdown/preview behavior ...详细分析 ▾
⚠ 用途与能力
The overall purpose (upload files to MinIO and generate links) aligns with the code which uses MINIO_* env vars and the Minio client. However the registry metadata claims no required environment variables/credentials while SKILL.md and the script require MINIO_API_URL, MINIO_CONSOLE_URL, MINIO_ACCESS_KEY, MINIO_SECRET_KEY, and MINIO_BUCKET — this mismatch is incoherent and should be resolved before trusting the skill.
⚠ 指令范围
SKILL.md promises rich Markdown output (file info, inline image previews, embedded video player) and describes automatically downloading a file if given a URL. The included script does not implement download-from-URL and in non-JSON mode prints only the presigned URL (JSON mode returns a simple object with presigned and console URLs). The documentation overpromises features the code does not provide.
ℹ 安装机制
There is no install spec in the registry (instruction-only install), and SKILL.md instructs users to pip install the 'minio' package. This is reasonable and low-risk, but the absence of an install spec means the environment must already be prepared by the user/agent; verify the correct package and version are installed.
⚠ 凭证需求
The environment variables the script requires (MINIO_API_URL, MINIO_CONSOLE_URL, MINIO_ACCESS_KEY, MINIO_SECRET_KEY, MINIO_BUCKET) are appropriate for MinIO access. However the skill registry metadata did not declare any required env vars or a primary credential — this discrepancy is misleading. Also note that supplying access/secret keys grants write access to the target MinIO account/bucket, so credentials should be scoped and rotated.
✓ 持久化与权限
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default and not by itself a red flag here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.32026/2/26
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install minio-share
镜像加速npx clawhub@latest install minio-share --registry https://cn.longxiaskill.com