Skill Publisher Claw Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its publishing purpose, but its publish workflow can push an entire directory to GitHub while the advertised secret checks only scan Markdown files.
Review the scripts before use, run a full-project secret scan yourself, check `git status` and `git diff` before publishing, avoid force mode, and confirm the active GitHub account and repo visibility.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may think the skill checked the whole project for secrets before publishing, while secrets in non-Markdown files could be missed.
The script can reassure users that no obvious secrets were found, but its secret checks are limited to Markdown files. That does not match the broader public-release/security-audit posture.
grep -rniE "(api[_-]?key|secret|password|token|bearer)" . --include="*.md" ... pass "No obvious secret patterns"
Before publishing, run a secret scan across all file types, including code, config, env, JSON/YAML, and hidden files; update the skill to clearly state scan scope.
Running the publish workflow on the wrong folder or without reviewing changes could publish unintended files.
The publish workflow can stage every file in the target directory, commit it, create a GitHub repository, and push it. This is aligned with publishing, but it is high-impact.
git add -A git commit -m "$COMMIT_MSG" gh repo create "$REPO_NAME" --"$VISIBILITY" --description "$REPO_DESC" --source=. --push git push -u origin "$BRANCH"
Use this only on a clean skill directory, inspect `git status` and `git diff` before committing, avoid `--force` unless you are certain, and confirm the repo visibility.
The workflow can act on the GitHub account currently authenticated in `gh`, including creating public or private repositories.
The script uses the user's GitHub CLI authentication to create and push repositories. This is expected for publishing but depends on the user's account privileges.
if ! gh auth status &>/dev/null; then
echo "Please authenticate: gh auth login"
...
gh repo create "$REPO_NAME" --"$VISIBILITY" --description "$REPO_DESC" --source=. --pushCheck `gh auth status` and repository visibility before running the publish command.
Some automatic fixes may not work as documented if referenced templates are absent.
The script references template files that are not listed in the provided file manifest, so some fix paths may fail or depend on missing package contents.
sed -e "s/\[YEAR\]/$YEAR/g" -e "s/\[AUTHOR\]/$AUTHOR/g" "$SCRIPT_DIR/templates/LICENSE.template" > LICENSE cp "$SCRIPT_DIR/templates/gitignore.template" .gitignore
Verify the package includes all referenced templates before relying on the auto-fix workflow.