Share One-Time Link — Share工具
v1.1.1[AI辅助] Generate public one-shot or time-limited download links for files using a local Express server exposed via Cloudflare Tunnel. Links are tokenized, expire aut...
0· 64·0 当前·0 累计
by 安全扫描
OpenClaw
安全
medium confidenceThe skill appears to do what it says (serve one-time download links via a local Express server + Cloudflare Tunnel); nothing in the code looks like hidden exfiltration or unrelated capability, but there are a few mismatches and operational risks you should be aware of before installing.
评估建议
This skill's code implements exactly the advertised behavior (local Express server, tokenized one-time links, file deletion). Before installing or running: 1) Review the included scripts locally (server.js, share-file.js) — they are small and readable. 2) Always set a strong SHARE_SECRET before exposing the tunnel; if SHARE_SECRET is unset the /generate and /status endpoints are unprotected (this is documented in SKILL.md). 3) Ensure you configure the Cloudflare Tunnel correctly and verify PUBLI...详细分析 ▾
✓ 用途与能力
Name/description align with required binaries (node, cloudflared) and included code: an Express server, a helper script that copies files into an isolated shared/ directory and requests tokenized one-time links. Required binaries are appropriate for the stated purpose.
ℹ 指令范围
Runtime instructions stay within the stated purpose: only files under an isolated SHARED_DIR are served, links are tokenized and deleted after download/expiry, and the helper script calls the local /generate endpoint. However SKILL.md requires setting SHARE_PUBLIC_URL and SHARE_SECRET but the registry metadata says no required env vars — a mismatch. The server explicitly allows unprotected /generate and /status when SHARE_SECRET is unset (and logs a warning), which is documented but increases risk if the user exposes the tunnel without setting SHARE_SECRET.
ℹ 安装机制
There is no registry 'install' spec (the skill is listed as instruction-only) but the package includes code and a package.json; the SKILL.md instructs you to run npm install in scripts/. This is not inherently dangerous, but it means the skill writes code to disk and requires you to run npm, which is a manual step and should be reviewed before running.
⚠ 凭证需求
The registry declares no required env vars but SKILL.md and the code rely on SHARE_PUBLIC_URL and recommend SHARE_SECRET (and optionally SHARED_DIR, SHARE_PORT). The server will operate with those unset (defaulting PUBLIC_URL to localhost and leaving endpoints unprotected), which is documented but could lead to accidental public exposure if you run the tunnel without setting SHARE_SECRET. The number and type of env vars are proportional to the task but should be declared up front.
✓ 持久化与权限
The skill does not request 'always' or other elevated platform privileges, does not modify other skills, and does not persist credentials beyond its own files. It runs as a user-level service and stores tokens in-memory only.
⚠ scripts/share-file.js:25
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.12026/4/9
Packaging fix: exclude node_modules and package-lock.json from published bundle to reduce false positive security alerts
● 可疑
安装命令 点击复制
官方npx clawhub@latest install share-onetime-link
镜像加速npx clawhub@latest install share-onetime-link --registry https://cn.clawhub-mirror.com
技能文档
Generate public, tokenized, self-destructing download links for files. Files are served via a local Express server exposed to the internet through a Cloudflare Tunnel.
Features
- ✅ 公开 access — 否 VPN 必填, works 从 anywhere
- ✅ One-shot links — 令牌 invalidated 之后 第一个 下载
- ✅ Configurable TTL — 链接 expires 之后 N minutes (默认: 60)
- ✅ Auto-cleanup — file deleted 从
shared/之后 下载 或 expiry - ✅ 受保护 endpoints —
/generate和/statusrequireSHARE_SECRET - ✅ Isolated directory — 仅 files 在...中
shared/served, never 满 workspace - ✅ 否 登录 必填 对于 下载 — anyone 带有 链接 可以 下载 once
Requirements
- 节点.js
cloudflaredinstalled 和 Cloudflare Tunnel configured pointing 到localhost:5050- 设置
SHARE_PUBLIC_URL到 公开 tunnel URL (e.g.https://分享.yourdomain.com) - 设置
SHARE_SECRET到 strong random 字符串 (recommended)
Setup
1. Install dependencies
cd skills/share-onetime-link/scripts
npm install
2. Configure Cloudflare Tunnel
Create a tunnel in the Cloudflare Zero Trust dashboard:
- 服务:
http://localhost:5050 - 公开 hostname: e.g.
分享.yourdomain.com
Run the tunnel:
cloudflared tunnel run --token YOUR_TUNNEL_TOKEN
3. 开始 server
SHARE_PUBLIC_URL="https://share.yourdomain.com" \
SHARE_SECRET="your-strong-random-secret" \
node skills/share-onetime-link/scripts/server.js
Or use start.sh (edit variables first):
bash skills/share-onetime-link/scripts/start.sh
Usage
Generate 链接 (通过 script)
SHARE_SECRET="your-secret" \
node skills/share-onetime-link/scripts/share-file.js /path/to/file.pdf 30
# Returns a public link valid for 30 minutes
Generate 链接 (通过 agent)
Just ask naturally:
"Sharereport.pdffor 20 minutes"
"Generate a download link forphoto.jpg, valid 1 hour"
Check 活跃 links
curl -H "x-share-secret: your-secret" http://localhost:5050/status
Environment variables
| Variable | Required | Default | Description |
|---|---|---|---|
SHARE_PUBLIC_URL | Yes | http://localhost:5050 | Public base URL for generated links |
SHARE_SECRET | Recommended | (none) | Secret key for /generate and /status endpoints |
SHARE_PORT | No | 5050 | Local server port |
SHARED_DIR | No | workspace/shared/ | Directory for shared files |
Security notes
/dl/:令牌公开 由 design — anyone 带有 链接 可以 下载 once/generate和/status受保护 由SHARE_SECRET— 设置 之前 exposing publicly- 如果
SHARE_SECRET不 设置, warning logged 和 endpoints unprotected - Files outside
shared/never accessible - Tokens cryptographically random (32 bytes / 64 hex chars)
- TTL enforced server-side regardless 的 client behavior
- Never put sensitive files 在...中
SHARED_DIRunless 您 intend 到 分享 them
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制