ClawHub

Portable Tools

v1.2.0

Build cross-device tools without hardcoding paths or account names

1· 2.6k·3 current·3 all-time
by@tunaissacoding
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the actual contents: a methodology, examples, and a pre-publish checklist for making shell tools portable. There are no unexpected binaries, environment variables, or unrelated install steps required.
Instruction Scope
SKILL.md and examples explicitly instruct running platform commands (e.g., macOS 'security find-generic-password') and showing BEFORE/AFTER token values. That is coherent for debugging auth portability, but the explicit encouragement to paste raw tokens and access keychain output increases the chance of accidental secrets disclosure. The instructions do not instruct reading unrelated system files or sending data to external endpoints, but they do ask for concrete secret values as 'proof.'
Install Mechanism
Instruction-only skill with no install spec and no downloads. No files are written or arbitrary code fetched during install—lowest-risk install posture.
Credentials
The skill does not declare any required environment variables or credentials (none listed). However, examples/diagnostics reference local credential stores (keychain) and tokens. This is reasonable for an OAuth/tool-portability guide, but users should be aware that following the examples may surface local credentials. The declared requirements are proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-included, does not request persistent system privileges, and contains no install hooks. It does not modify other skills or system-wide settings.
Assessment
This skill is a portable-tooling guide and is internally consistent, but some examples explicitly ask you to show raw tokens and keychain output as "proof." Before using: (1) do NOT paste raw access tokens or secrets into public chat or logs — redact or hash them (e.g., show first/last 4 chars or a SHA256 of the token) when proving changes; (2) run the pre-publish checklist and debugging commands locally in a safe environment, not in a public/shared session; (3) if an agent or helper asks for BEFORE/AFTER values, prefer deterministic comparisons (hashes) or masked output instead of full secrets; (4) consider adding guidance to SKILL.md that any exported or reported token values must be redacted and that proofs should use non-reversible fingerprints rather than raw tokens.

Like a lobster shell, security has layers — review code before you run it.

latestvk97czp2a23xf0hzww583vcbfvh7zsjs5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments