Upload any local file or directory to PinMe (pinme.eth.limo) and instantly get a short shareable URL (*.pinit.eth.limo). Supports all file types: HTML pages,...
Security Analysis
high confidenceThis skill appears to do what it says, but it needs review because it can publicly publish local files, auto-installs an npm CLI, and may persist an AppKey unexpectedly.
The core purpose is coherent: it uploads user-specified files or directories to PinMe/public IPFS, returns URLs, and supports related account actions such as list, unpin, wallet, logout, and AppKey setup.
The trigger text includes broad requests such as uploading a file or giving a public link, while the action can publish content to public, hard-to-delete IPFS storage; the artifacts warn users, but the script does not require a confirmation gate before upload.
If the PinMe CLI is missing, the script automatically runs an unpinned npm global install of the pinme package, including a fallback global install path. This is disclosed, but it grants package-install and third-party code-execution authority during normal use.
The script primarily reads the path the user supplies, enforces size limits, and calls the PinMe CLI, which fits the upload purpose. The impact is still high because arbitrary chosen local files or directories become publicly accessible.
Persistent AppKey storage is mostly disclosed and uses a 0600 local file, but the documented PINME_APPKEY one-shot override can still be written into the PinMe CLI configuration when no CLI key exists. Logout attempts to clear both CLI state and the local file; no background persistence was found.
Guidance
Review before installing. Use it only for files you are comfortable making public permanently, preinstall and verify the PinMe CLI yourself if possible, avoid using PINME_APPKEY for secrets you expect to remain ephemeral, and check/logout any stored PinMe credentials after testing.
Latest Release
v1.0.0
Initial release — upload any file or directory to PinMe (public IPFS) and get a shareable URL. - Supports all file types and whole directories; generates a short <something>.pinit.eth.limo link. - Strong public data warning: do not upload private or sensitive information. - Requires a PinMe AppKey (supports automatic CLI integration and XDG/composable config). - Includes commands for upload, view history, unpin, wallet/quota check, and logout. - Outputs machine-readable JSON to stdout for seamless scripting; all warnings/errors go to stderr. - Includes robust error handling and detailed reference for agent integration.
More by @songhonglei
Published by @songhonglei on ClawHub
