ClawHub
Back to skill
v1.0.0

Clawhub Rate Limited Publisher Fixed

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:10 AM.

Analysis

This skill is mostly consistent with its publishing purpose, but it can automatically publish under your ClawHub account and its queue can run broad shell commands, so it needs review before use.

GuidanceInstall or use this only if you are comfortable running local scripts that publish under your ClawHub account. Before enabling cron/systemd, inspect the queue JSON carefully, avoid custom `command` entries, run `--dry-run`, confirm the active ClawHub account, and prefer a version that does not use `shell=True` for queue-provided command text.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/clawhub_rate_limited_uploader.py
command = item.get("command", DEFAULT_COMMAND) ... "{path}" not in command ... subprocess.run(command_str, shell=True, ...)

A queue item can supply a command template, the validation only checks that it contains `{path}`, and the resulting string is executed with `shell=True`. This allows a custom or tampered queue file to run commands beyond the intended `clawhub publish` workflow.

User impactIf the queue file is modified or created incorrectly, running the script or scheduler could execute arbitrary local shell commands under the user's account, not just publish a skill.
RecommendationRemove arbitrary command templates or strictly allowlist `clawhub publish`; execute with an argument list and `shell=False`; require explicit user approval for any custom command.
Rogue Agents
SeverityMediumConfidenceHighStatusNote
SKILL.md
Prefer a host scheduler such as cron or systemd timer so uploads happen automatically every 12 minutes.

The skill recommends persistent host scheduling. This is disclosed and rate-limited, but it means publish attempts can continue outside the chat session.

User impactOnce scheduled, the script may keep attempting publishes until the queue is complete or the scheduler is disabled.
RecommendationOnly install the scheduler deliberately, monitor the state/log files, and disable the cron/systemd timer when publishing is finished.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Run every 12 minutes using the example in `{baseDir}/resources/cron.example`.

The provided file manifest does not include `resources/cron.example` or the referenced systemd example, so part of the documented scheduler setup is not reviewable in the supplied artifacts.

User impactUsers may need to create scheduler configuration manually or rely on undocumented examples, increasing setup mistakes.
RecommendationInclude the referenced scheduler example files in the package or remove/update those references.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`clawhub` must already be installed and authenticated on the host.

The skill depends on the user's existing authenticated ClawHub CLI session to publish local skills. This is expected for the purpose, but it uses delegated account authority.

User impactSuccessful runs publish content under the authenticated ClawHub account, so an unintended queue entry could publish the wrong local skill.
RecommendationRun a dry run first, confirm the active ClawHub account with `clawhub whoami`, and review every queued path before using `--execute` or a scheduler.