📦 us3-uploader-encrypted — 加密上传文件
v1.0.0将文件加密后上传至 UCloud US3(UFile)对象存储,并自动生成安全下载链接,方便一键分享或导出给终端用户。
0· 215·0 当前·0 累计
by @qianjunye下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill appears to implement a legitimate US3 uploader, but there are concerning inconsistencies and privilege choices you should address before installing: (1) Fix the metadata: declare required environment variables and the primary credential so the platform can surface what secrets the skill needs. (2) Remove or justify always:true — prefer user-invoked only unless you have a clear reason to force inclusion. (3) If you must provide keys, create a dedicated, least-privilege API key and a si...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose (upload files to UCloud US3) matches the provided script and docs. However the registry metadata declares no required environment variables or primary credential while the SKILL.md and the script require US3_PUBLIC_KEY, US3_PRIVATE_KEY and US3_BUCKET. That mismatch (declared vs. actual requirements) is incoherent and should be corrected before trusting the skill.
⚠ 指令范围
SKILL.md explicitly instructs the agent to always upload any produced file and to run python3 scripts/upload_to_us3.py <file>. The script reads arbitrary file paths given to it and environment secrets, and will auto-install the ufile SDK if missing. The 'always upload' mandate combined with an auto-installing script increases the chance of accidental/excessive uploads (including sensitive files) and unexpected network activity.
ℹ 安装机制
No install spec in registry (instruction-only), but the included script will attempt to run 'pip3 install -q ufile' at runtime via os.system if the SDK is missing. Installing packages at runtime over the network is a moderate risk (unreviewed code pulled from PyPI) and should be called out.
⚠ 凭证需求
The environment variables required by the script (US3_PUBLIC_KEY, US3_PRIVATE_KEY, US3_BUCKET, optional US3_ENDPOINT and US3_MAX_FILE_SIZE_MB) are appropriate for the uploader's function, but the registry metadata does not advertise them. The script requires a private API key (sensitive). Combined with the skill being always-included, this raises a real risk: a loaded skill with access to a PRIVATE_KEY could be invoked unexpectedly and upload files or generate signed URLs.
⚠ 持久化与权限
The skill is marked always:true in its metadata, meaning it will be force-included in every agent run. That privilege combined with access to a private API key and an instruction that 'any produced file must be uploaded' is disproportionate — most uploader skills do not need to be always-enabled. This increases blast radius for accidental or malicious file uploads.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/14
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install us3-uploader-encrypted
镜像加速npx clawhub@latest install us3-uploader-encrypted --registry https://cn.longxiaskill.com