by 安全扫描
OpenClaw
可疑
high confidenceThe skill generally does what it says (uploads a local file to Qiniu and returns a URL) but the package is inconsistent about where credentials come from and what it needs, and the shipped script has a bug — treat as suspicious until those issues are fixed and credential access is clarified.
评估建议
This skill will upload any local file you point it at to a Qiniu bucket. Before installing or running it: (1) Do not use it for private or sensitive files — uploaded objects may be publicly accessible. (2) Inspect your ~/.openclaw/config.json to see what Qiniu credentials would be used; the skill reads qiniu_access_key, qiniu_secret_key, qiniu_bucket_name, and qiniu_domain from that file but the skill metadata did not declare this requirement. (3) Consider storing credentials in a place you cont...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose (upload a local file to Qiniu) matches the code's behavior, but the registry metadata claims no required config or credentials while the script reads Qiniu credentials and settings from ~/.openclaw/config.json. The manifest should declare that it needs Qiniu credentials/config; the current mismatch is incoherent.
⚠ 指令范围
SKILL.md tells the user to install the qiniu Python package and run the script with --file and warns about public uploads, but it does NOT document the required configuration file location or required config keys (qiniu_access_key, qiniu_secret_key, qiniu_bucket_name, qiniu_domain). The runtime instructions therefore omit essential configuration steps. Also, the script will attempt to read arbitrary local file paths (which is necessary for the stated purpose) — this is expected but should be explicitly documented as a privacy risk (the README warns about sensitivity, which is good).
ℹ 安装机制
No install spec (instruction-only) — low install risk. SKILL.md correctly instructs to pip install the qiniu package; that dependency is reasonable for the stated functionality. No network downloads of arbitrary code are included in the skill bundle itself.
⚠ 凭证需求
The skill requires sensitive Qiniu credentials (access key/secret + bucket/domain) but does not declare them in metadata; instead it silently reads ~/.openclaw/config.json. Requesting access to a user-owned config file with credentials is proportionate to the upload task only if clearly declared and optional alternatives (environment variables) are provided. The lack of disclosure and the unexpected config path are disproportionate and surprising.
✓ 持久化与权限
The skill does not request persistent or elevated privileges, does not set always:true, and has no install hooks. It only reads a config file from the user's home and performs network uploads as part of its function — expected for this purpose.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/26
- Initial release: Uploads local files to Qiniu Cloud Storage and returns a public URL. - Improved reliability by switching from a temporary hosting service to Qiniu Kodo. - Correctly handles file paths with special characters (e.g., Chinese, spaces). - Security note: Uploaded files may become publicly accessible—do not use for sensitive data. - Requires the qiniu Python package.
● 可疑
安装命令
点击复制官方npx clawhub@latest install file-to-link
镜像加速npx clawhub@latest install file-to-link --registry https://cn.longxiaskill.com