Clawhub Rate Limited Publisher Fixed
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s publishing workflow is coherent, but its helper can run queue-controlled shell commands under an optional scheduler, which is broader than a safe ClawHub publish wrapper.
Review the queue file and target skill paths carefully before running this. Prefer dry-run first, verify the logged-in ClawHub account, avoid custom queue commands, and do not configure cron/systemd until the command-execution issue is fixed or you have independently audited the helper.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken queue entry, or a skill directory name containing shell metacharacters, could cause local shell commands beyond `clawhub publish` to run when the helper executes, including from cron.
A queue item can supply the command template, and the skill path is interpolated into a shell string. The only command validation is that the string contains {path}.
command = item.get("command", DEFAULT_COMMAND) ... command_str = item.command.format(path=str(skill_path)) ... subprocess.run(command_str, shell=True, ...)Remove `shell=True`, call `clawhub` with an argument list, reject custom commands by default or enforce a strict allowlist, quote paths safely if a shell is unavoidable, and require explicit review for any non-default command.
Publish attempts will use the currently logged-in ClawHub identity and may create or update public skill listings under that account.
The workflow uses the user’s existing authenticated ClawHub CLI session to publish skills, which is expected but account-affecting.
`clawhub` must already be installed and authenticated on the host.
Before executing, run `clawhub whoami`, dry-run the queue, and confirm every queued skill path should be published from that account.
If configured, scheduled runs may keep attempting publishes until the queue is complete or the scheduler is disabled.
The skill recommends persistent host scheduling. This is disclosed and aligned with rate-limited publishing, but it means the workflow can continue after the chat task ends.
Prefer a host scheduler such as cron or systemd timer so uploads happen automatically every 12 minutes.
Create scheduler entries manually, keep logs visible, and remove or disable the cron/systemd timer when publishing is finished.
Users may not have the scheduler templates the documentation tells them to use, increasing the chance of manual setup mistakes.
The supplied manifest lacks the `resources/cron.example` and `resources/systemd.timer.example` files referenced by the documentation, creating a packaging/setup inconsistency.
6 file(s): README.md, SELF_CHECK.md, SKILL.md, examples/queue.sample.json, scripts/clawhub_rate_limited_uploader.py, tests/smoke-test.md
Do not rely on missing resource examples; create and review cron/systemd entries yourself, or request a package that includes the referenced files.