Marila Skill Publish
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: marila-skill-publish Version: 1.0.8 The skill bundle is a documentation and workflow guide designed to help developers publish and update OpenClaw skills. It provides standard shell commands for environment setup (git, gh, clawhub) and includes a comprehensive security checklist (references/clawhub-review-checklist.md) that emphasizes credential safety and metadata accuracy. While it mentions sensitive operations such as modifying the agent's workspace or reading local configuration files for troubleshooting, these are presented with explicit security warnings and are contextually appropriate for a developer tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong repository, branch, slug, or version, the user could publish unintended content or account changes.
These commands are central to the stated release workflow, but they can commit local files, push to GitHub, create a release, and publish a skill version.
`git add -A && git commit && git push` ... `gh release create` ... `clawhub publish <路径>`
Before running the release commands, verify git status/diff, target repository, GitHub account, ClawHub account, slug, version, and changelog.
A mistaken or over-permissioned login could publish to the wrong account or repository.
The workflow depends on authenticated GitHub and ClawHub sessions, so the commands act with the user's account permissions.
- ClawHub 账号(已登录) - GitHub 账号(用于 push 和 GitHub Release)
Run `gh auth status`, `clawhub whoami`, and `git remote -v` before publishing, and use least-privileged accounts where possible.
Executing this command can overwrite or change the agent's installed skill behavior.
Copying a skill file into the OpenClaw workspace can persistently change what the local agent uses; the artifact does warn this should be explicit and trusted.
`cp <技能目录>/SKILL.md ~/.openclaw/workspace/skills/技能名/SKILL.md` ... `只应在受信任环境中显式执行`
Only copy into the agent workspace after reviewing the file contents and confirming the target path in a trusted local environment.
Users may inspect the wrong repository when trying to verify the skill's source or release history.
The listed homepage points to a different project name than this skill and differs from the package repository, creating a provenance mismatch users should notice.
Homepage: https://github.com/aliramw/dingtalk-ai-table
Confirm the intended source repository before relying on the instructions, especially before publishing with authenticated accounts.