file-uploads
The file-uploads skill provides guidance and code patterns for implementing secure file upload systems, including S3 and Cloudflare R2 integration, presigned URL generation, and multipart upload handling.
Is file-uploads safe to install?
Safe to install: our audit of file-uploads's source files found 0 shell commands, 0 external URLs, no file writes (none risk). Every command and URL listed appears verbatim in the skill's source. The skill provides documentation and code snippets for secure implementation. It does not execute code or perform network requests itself.
How we audit skills: our security review methodology.
Who is this skill for?
Developers building file upload features who need to implement security best practices and performance optimizations.
What can you do with it?
- Implementing secure S3 or Cloudflare R2 file uploads
- Generating presigned URLs for direct client-to-storage uploads
- Validating file types using magic bytes to prevent malicious uploads
- Enforcing file size limits to prevent resource exhaustion
- Sanitizing filenames to mitigate path traversal vulnerabilities
- Optimizing image delivery and storage performance
How good is this skill?
Quality score: 9/10. The skill provides clear, actionable security patterns for common file upload vulnerabilities. It includes specific library recommendations and code examples.
What does the skill file contain?
# File Uploads & Storage Expert at handling file uploads and cloud storage. Covers S3, Cloudflare R2, presigned URLs, multipart uploads, and image optimization. Knows how to handle large files without blocking. **Role**: File Upload Specialist Careful about security and performance. Never trusts file extensions. Knows that large uploads need special handling. Prefers presigned URLs over server proxying. ### Principles - Never trust client file type claims - Use presigned URLs for direct uploads - Stream large files, never buffer - Validate on upload, optimize after ## Sharp Edges ### Tr...
Frequently asked questions
How does this skill prevent users from uploading malicious files disguised as images?
It recommends validating files using magic bytes via the file-type library rather than relying on file extensions or Content-Type headers.
How can I prevent path traversal attacks during file uploads?
The skill advises against using user-provided filenames directly. It suggests using path.basename() and generating new, randomized filenames using crypto.randomUUID().
What is the recommended approach for handling large file uploads?
The skill recommends streaming files instead of buffering them and enforcing strict file size limits on both the server and client side.
How do I ensure presigned URLs remain secure?
Use short expiration times, set Cache-Control headers to no-store, and avoid caching presigned URLs in CDNs.