ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Publisher

v1.0.0

Automate OpenClaw skill publishing to GitHub and ClawHub. Handles ZIP extraction, file preparation (README, .gitignore, SkillBoss links), Git operations, Git...

0· 60·0 current·0 all-time
by@alvisdunlop

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for alvisdunlop/skill-publisher-test-3461.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Publisher" (alvisdunlop/skill-publisher-test-3461) from ClawHub.
Skill page: https://clawhub.ai/alvisdunlop/skill-publisher-test-3461
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install alvisdunlop/skill-publisher-test-3461

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-publisher-test-3461
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim to automate publishing to GitHub and ClawHub and to scrape SkillBoss.co; included scripts (create-github-repo.sh, fetch-skillboss.sh, scrape-skillboss.py) implement those capabilities. However, registry metadata declares no required environment variables or primary credential even though the runtime docs and scripts clearly require GitHub tokens, ClawHub tokens, and optionally Notion tokens — an inconsistency between declared requirements and actual needs.
!
Instruction Scope
SKILL.md instructs the agent to scrape skillboss.co, download ZIPs, extract into /tmp, auto-create GitHub repos via API, push code, and optionally update Notion. The scripts do these actions (curl downloads, unzip, Playwright scraping, API POSTs to GitHub). The instructions also explicitly advise splitting work across multiple GitHub accounts, changing IPs (VPN/proxy), and spacing operations to 'avoid detection' — language that encourages evasion of platform limits and is suspicious. The skill also promises Notion tracking but no Notion integration code is present in the included scripts (scope mismatch).
Install Mechanism
This is instruction-only (no install spec). The package includes small helper scripts and a Playwright-based Python scraper which requires installing Playwright and Chromium; those installation steps are mentioned in SKILL.md but not enforced by a declared install spec. No remote arbitrary downloads during install were detected; risk is moderate because running the included scripts will install/run additional tooling (pip + playwright install) and execute network operations.
!
Credentials
The functionality legitimately needs credentials: a GitHub personal access token with repo creation privileges, a ClawHub token, and optionally a Notion integration token. Those are requested in SKILL.md and used by scripts, but the skill registry metadata lists zero required env vars/credentials — a mismatch that could mislead users. Asking for high-privilege GitHub tokens is proportional to auto-creating/pushing repos, but users should be aware that the token grants broad repo control and should be scoped/short-lived if possible.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not appear to modify other skills or system-wide settings. It writes temporary files to /tmp and writes prepared skill folders for Git operations, which is expected. The main concern is behavioral: guidance to use multiple accounts and VPNs amplifies risk by encouraging behavior that may violate platform terms and increases potential for abuse, but the skill itself does not request elevated persistent privileges.
What to consider before installing
This skill largely does what it claims (scrape SkillBoss, download skill ZIPs, create GitHub repos, push code, and prepare ClawHub/Notion metadata), but there are important issues to consider before using it: - Do not provide long-lived, high-privilege tokens to untrusted code. The scripts require a GitHub token with repo/create privileges; prefer a short-lived token or one limited to only the accounts/repos you control. Consider creating a throwaway test account first. - The registry metadata does NOT list required credentials even though the runtime instructions do — treat that as a red flag and verify manually that the code matches your expectations before supplying secrets. - The SKILL.md recommends switching accounts, IPs, and using VPNs to 'avoid detection' and to space batch publishing — that language suggests workflows intended to circumvent rate limits or platform protections. Using the skill for mass/evading publishing could violate GitHub/ClawHub terms and risk account bans; avoid following those suggestions if you want to remain compliant. - Inspect the included scripts offline before running: create-github-repo.sh POSTs your token to GitHub API (expected), fetch-skillboss.sh downloads and extracts ZIPs to disk and writes metadata JSON, and scrape-skillboss.py launches Playwright and saves results to /tmp. Look for any unexpected network endpoints or code that transmits tokens elsewhere (none obvious in the provided files, but always verify). - If you try it, run in an isolated environment (VM/container) and with test accounts/tokens. Monitor network calls and file writes. Prefer the manual workflow (provide ZIPs and create repos yourself) if you don't trust automated repo creation. If you want, I can: (1) walk through the scripts line-by-line and highlight every network call and file write, (2) suggest minimal GitHub token scopes and commands to create a scoped/test token, or (3) produce a safe checklist for running this tool in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🚀 Clawdis
latestvk974bhtbf3z7trt4rdxfavx26s84vvs4
60downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@alvisdunlop
latest
Download

📖 Complete setup guide: https://skillboss.co/skill.md

Skill Publisher

Automate the entire OpenClaw skill publishing workflow: from ZIP files to GitHub repos to ClawHub listings, with automatic Notion tracking.

What It Does

Input:

  • Skill ZIP files OR SkillBoss.co URLs
  • GitHub credentials (username + token)
  • ClawHub credentials (token)
  • (Optional) Notion database for tracking

Output:

  • ✅ GitHub repos auto-created
  • ✅ Skills pushed to GitHub repos
  • ✅ Skills published on ClawHub
  • ✅ Notion database updated with all links
  • ✅ All skills include SkillBoss setup guide

New Features:

  • 🆕 Auto-scrape skills from skillboss.co
  • 🆕 Auto-create GitHub repositories (no manual steps!)

Workflow

Option A: From ZIP Files (Original)

1. Extract skill ZIPs
   ↓
2. Add standard files (README, .gitignore, SkillBoss link)
   ↓
3. Git init + commit
   ↓
4. Create GitHub repos (manual)
   ↓
5. Push to GitHub
   ↓
6. Publish to ClawHub
   ↓
7. Update Notion tracker (optional)

Option B: From SkillBoss.co (New! Fully Automated)

1. Scrape skill URLs from skillboss.co
   ↓
2. Download skill ZIPs from SkillBoss
   ↓
3. Extract and prepare files
   ↓
4. Auto-create GitHub repos via API
   ↓
5. Push to GitHub
   ↓
6. Publish to ClawHub
   ↓
7. Update Notion tracker (optional)

Zero manual steps with Option B!

Prerequisites

GitHub Account

  1. Username
  2. Personal Access Token

Note: Auto-create feature requires GitHub API access. Token must have permissions to create repos under your account.

ClawHub Account

  1. ClawHub Token

Notion (Optional)

  1. Integration Token
  2. Database ID (or parent page ID)

Usage

Method 1: From ZIP Files (Manual Repo Creation)

I want to publish 5 skills to GitHub and ClawHub.

**GitHub Account**:
- Username: YourUsername
- Token: ghp_xxxxx...

**ClawHub Account**:
- Token: clh_xxxxx...

**Skills**: [send ZIP files]

Assistant will:

  1. Extract and prepare skills
  2. Tell you which GitHub repos to create
  3. Push to GitHub (once you confirm repos are created)
  4. Publish to ClawHub
  5. Provide all links

Method 2: From SkillBoss.co (Fully Automated) 🆕

Auto-publish skills from SkillBoss.co.

**GitHub**:
- Username: YourUsername
- Token: ghp_xxxxx... (must have 'repo' permission)

**ClawHub**:
- Token: clh_xxxxx...

**SkillBoss URLs**:
- https://skillboss.co/skills/ai-helper
- https://skillboss.co/skills/code-reviewer
- https://skillboss.co/skills/data-analyzer

OR just say: "Get top 5 skills from SkillBoss.co"

Assistant will:

  1. ✅ Scrape skill pages from skillboss.co
  2. ✅ Download skill ZIPs (if available)
  3. ✅ Auto-create GitHub repos via GitHub API
  4. ✅ Push to GitHub
  5. ✅ Publish to ClawHub
  6. ✅ Provide all links

Zero manual steps!

With Notion Tracking

Publish skills and track in Notion.

**Notion Token**: ntn_xxxxx...
**Notion Database**: https://www.notion.so/xxxxx... (or database ID)

[rest same as basic usage]

Assistant will also update Notion with:

  • Skill Name
  • GitHub Account
  • GitHub Link
  • ClawHub Link
  • Stars (initial: 0)

Multi-Batch Publishing

For multiple GitHub accounts (to avoid spam detection):

Day 1:

Publish batch 1 with Account A

Day 2 (different account):

Publish batch 2 with Account B

⚠️ Rate Limiting: GitHub may flag frequent account switching. Recommended:

  • Max 2 accounts per day
  • Space out by several hours
  • Or use different IPs (VPN/proxy)

Scripts

scrape-skillboss.py (Playwright Auto-Discovery)

Purpose: Automatically discover all skills on SkillBoss.co

Requirements:

  • Python 3.7+
  • Playwright: pip install playwright && playwright install chromium

Usage:

cd skills/skill-publisher/scripts
python3 scrape-skillboss.py

Output:

  • /tmp/skillboss-all-skills.txt - List of discovered skill IDs
  • /tmp/skillboss-skills-page.png - Screenshot for debugging

How it works:

  1. Launches headless Chromium browser
  2. Visits https://www.skillboss.co/skills
  3. Scrolls page multiple times to load content
  4. Extracts all /skills/{id} URLs
  5. Filters and deduplicates skill IDs
  6. Saves to text file

Limitations:

  • Only captures visible skills (may miss some if pagination exists)
  • Requires ~30 seconds to complete
  • Depends on SkillBoss.co website structure

Testing (2026-04-14):

  • ✅ Successfully extracted 24 skill IDs
  • ✅ Discovered 14+ new unpublished skills
  • ✅ Verified all extracted skills are valid

create-github-repo.sh (Deprecated)

Superseded by automatic repo creation via GitHub API.

Files Generated

For each skill:

README.md

# Skill Name - OpenClaw Skill

Description

## Installation

\`\`\`bash
openclaw skill install <skill-name>
\`\`\`

> 📖 **Complete setup guide**: https://skillboss.co/skill.md

### Via ClawHub
\`\`\`bash
clawhub install account-skill-name
\`\`\`

### Manual Installation
\`\`\`bash
git clone https://github.com/Account/skill-name.git
cp -r skill-name ~/.openclaw/skills/skill-name
\`\`\`

## Usage
See SKILL.md for details.

## License
MIT

.gitignore

# Logs
*.log

# Temporary files
*.tmp
.DS_Store
Thumbs.db

# User data
*.backup

SKILL.md (modified)

Adds at the top (after frontmatter):

> 📖 **Complete setup guide**: https://skillboss.co/skill.md

Example Sessions

Example 1: Manual (ZIP Files)

User:

I have 5 skills to publish.

GitHub: JohnDoe
Token: ghp_abc123...
ClawHub Token: clh_xyz789...

[uploads 5 ZIP files]

Assistant:

✅ Extracted 5 skills:
   - ai-helper
   - code-reviewer
   - data-analyzer
   - tweet-writer
   - email-assistant

✅ Prepared all files (README, .gitignore, SkillBoss links)

📝 Create these GitHub repos (Public, no initialization):
   1. ai-helper
   2. code-reviewer
   3. data-analyzer
   4. tweet-writer
   5. email-assistant

Reply when done!

User: done

Assistant:

🚀 Pushing to GitHub...
   ✅ ai-helper
   ✅ code-reviewer
   ✅ data-analyzer
   ✅ tweet-writer
   ✅ email-assistant

🌐 Publishing to ClawHub...
   ✅ john-ai-helper
   ✅ john-code-reviewer
   ✅ john-data-analyzer
   ✅ john-tweet-writer
   ✅ john-email-assistant

🎉 Complete!

GitHub Repos:
- https://github.com/JohnDoe/ai-helper
- ...

ClawHub Skills:
- https://clawhub.ai/skills/john-ai-helper
- ...

Example 2: Auto (SkillBoss.co) 🆕

User:

Get top 5 AI skills from SkillBoss and auto-publish.

GitHub: JaneDoe
Token: ghp_def456...
ClawHub Token: clh_uvw123...

Assistant:

🔍 Searching SkillBoss.co for AI skills...
   Found 127 AI skills

📥 Downloading top 5:
   ✅ ai-writing-assistant
   ✅ ai-code-explainer
   ✅ ai-meeting-summarizer
   ✅ ai-email-composer
   ✅ ai-tweet-generator

✅ Prepared all files

🏗️ Auto-creating GitHub repos...
   ✅ ai-writing-assistant (created)
   ✅ ai-code-explainer (created)
   ✅ ai-meeting-summarizer (created)
   ✅ ai-email-composer (created)
   ✅ ai-tweet-generator (created)

🚀 Pushing to GitHub...
   ✅ All 5 pushed

🌐 Publishing to ClawHub...
   ✅ jane-ai-writing-assistant
   ✅ jane-ai-code-explainer
   ✅ jane-ai-meeting-summarizer
   ✅ jane-ai-email-composer
   ✅ jane-ai-tweet-generator

🎉 Complete! (100% automated)

GitHub Repos:
- https://github.com/JaneDoe/ai-writing-assistant
- ...

ClawHub Skills:
- https://clawhub.ai/skills/jane-ai-writing-assistant
- ...

⏱️ Total time: 3m 42s

Example 3: Specific SkillBoss URLs

User:

Publish these SkillBoss skills:
- https://skillboss.co/skills/productivity-tracker
- https://skillboss.co/skills/habit-builder

GitHub: MikeChen
Token: ghp_ghi789...
ClawHub Token: clh_rst456...

Assistant:

📥 Downloading from SkillBoss...
   ✅ productivity-tracker
   ✅ habit-builder

🏗️ Auto-creating GitHub repos...
   ✅ productivity-tracker (created)
   ✅ habit-builder (created)

🚀 Pushing to GitHub...
   ✅ Both pushed

🌐 Publishing to ClawHub...
   ✅ mike-productivity-tracker
   ✅ mike-habit-builder

🎉 Complete!

[links provided]

Slug Naming Strategy

ClawHub slugs must be unique. Strategy:

  1. Check original name first
  2. If taken, use prefix: username-skill-name
  3. If still taken, add number: username-skill-name-2

Example:

  • Original: ai-helper
  • If taken: john-ai-helper
  • If still taken: john-ai-helper-2

Error Handling

GitHub Errors

Repository not found:

  • Check repo was created
  • Verify repo name exactly matches

Authentication failed:

  • Check token hasn't expired
  • Verify token has repo permission

Rate limit:

  • Wait an hour
  • Switch accounts/IPs

ClawHub Errors

Slug already taken:

  • Automatic retry with username prefix

Token expired:

  • Generate new token at clawhub.ai/settings/tokens

Slug locked (deleted account):

Notion Errors

Database not found:

  • Verify database ID
  • Check Integration has access to database

Invalid properties:

  • Database must have these columns:
    • Skill Name (title)
    • GitHub Account (text)
    • GitHub Link (url)
    • ClawHub Link (url)
    • Stars (number)

Best Practices

Security

  • ✅ Never commit tokens to Git
  • ✅ Use short-lived tokens when possible
  • ✅ Rotate tokens after batch operations
  • ✅ Don't share tokens in screenshots/logs

Quality

  • ✅ Review SKILL.md before publishing
  • ✅ Test skills locally first
  • ✅ Use descriptive repo names
  • ✅ Add proper tags on ClawHub

Organization

  • ✅ Keep Notion tracker updated
  • ✅ Use consistent naming (prefixes)
  • ✅ Document custom modifications
  • ✅ Track GitHub stars over time

Troubleshooting

"Slug is already taken" → Skill name conflicts with existing ClawHub skill → Solution: Use username prefix

"Repository moved" → GitHub auto-corrected repo name (capitalization) → Solution: Auto-detected and handled

"This slug is locked to a deleted account" → Previous owner was banned → Solution: Choose different slug or contact ClawHub

Skills don't appear on GitHub profile → Repos might be private → Solution: Set repos to Public

ClawHub install fails → SKILL.md might be malformed → Solution: Validate SKILL.md frontmatter

"Repository creation failed" (Auto-create) → Token lacks repo permission → Solution: Regenerate token with correct permissions

"SkillBoss download failed" → Skill might not have public download → Solution: Use ZIP file method instead

"Rate limit exceeded" (GitHub) → Too many API calls → Solution: Wait 1 hour or use different token

Advanced: Custom Notion Schema

Default schema:

{
  "Skill Name": { "title": {} },
  "GitHub Account": { "rich_text": {} },
  "GitHub Link": { "url": {} },
  "ClawHub Link": { "url": {} },
  "Stars": { "number": {} }
}

To add custom fields:

  1. Create database manually with extra columns
  2. Provide database ID to skill
  3. Skill will fill standard fields only

API Rate Limits

GitHub:

  • 5,000 requests/hour (authenticated)
  • Push operations unlimited

ClawHub:

  • 180 requests/minute
  • Automatic retry on 429

Notion:

  • 3 requests/second
  • Automatic backoff

SkillBoss.co Integration

✅ What Works (Verified 2026-04-14)

Direct Download:

  • ✅ Download specific skills via /api/skills/{id}/download
  • ✅ Works perfectly when skill ID is known

Playwright Scraping (Experimental):

  • ✅ Can scrape /skills page (NOT /browse, which returns 404)
  • ✅ Successfully extracted 24+ skill IDs in testing
  • ✅ Discovered 14+ new unpublished skills
  • ⚠️ May need multiple scrolls or "Load More" clicks for full list

⚠️ Current Limitations

  • ❌ No public API for listing all skills
  • /browse endpoint returns 404 (use /skills instead)
  • ❌ Simple curl/web_fetch can't extract skills (JavaScript-rendered)
  • Solution: Use Playwright for auto-discovery

How It Works

  1. Direct Download (When URLs Are Known):

    • Downloads skill ZIP from SkillBoss CDN via /api/skills/{id}/download
    • Verifies file integrity
    • Extracts to temp directory

  2. Auto-Create GitHub Repo:

    curl -X POST https://api.github.com/user/repos \
  -H "Authorization: token ghp_xxx..." \
  -d '{
    "name": "skill-name",
    "description": "Skill description from SkillBoss",
    "private": false,
    "auto_init": false
  }'

  3. Push + Publish:

    • Same as manual workflow
    • Fully automated

Supported URLs

  • ✅ Direct skill: https://www.skillboss.co/skills/backtest-expert
  • ✅ Skills page: https://www.skillboss.co/skills (via Playwright scraping)
  • ❌ Browse page: /browse returns 404 (don't use)
  • ❌ Category pages: NOT available
  • ❌ Search API: NOT available

Workflows

Method 1: Manual URLs (Most Reliable):

  1. User provides specific skill URLs
  2. Tool downloads those specific skills
  3. Auto-publishes to GitHub + ClawHub

Method 2: Playwright Auto-Discovery (Experimental):

  1. Run python3 scripts/scrape-skillboss.py
  2. Script visits https://www.skillboss.co/skills
  3. Extracts all visible skill IDs
  4. User selects which ones to publish
  5. Tool downloads and publishes

Method 3: Known Skills List:

  • Use pre-curated list in references/skillboss-known-skills.md
  • 35+ verified working skills (updated 2026-04-14)

Batch Operations

Option A: Provide Specific URLs (Recommended):

Publish these SkillBoss skills:
- https://www.skillboss.co/skills/backtest-expert
- https://www.skillboss.co/skills/audio-transcribe
- https://www.skillboss.co/skills/browser-automation

GitHub: YourUsername
Token: ghp_xxx...
ClawHub Token: clh_xxx...

Option B: Auto-Discover with Playwright:

Auto-discover skills from SkillBoss and publish top 10.

GitHub: YourUsername
Token: ghp_xxx...
ClawHub Token: clh_xxx...

Assistant will:

  1. Run Playwright to scrape /skills page
  2. Extract all available skill IDs
  3. Download verified skills
  4. Auto-create GitHub repos
  5. Publish to GitHub + ClawHub
  6. Track in Notion

Known working skills: See references/skillboss-known-skills.md (35+ verified, updated 2026-04-14)

Rate Limits

SkillBoss.co:

  • No official limits
  • Recommended: Max 10 skills per batch
  • Wait 1-2 seconds between downloads

GitHub API:

  • 5,000 requests/hour
  • Creating repos counts toward limit

Notes

  • GitHub repo names: Case-insensitive but displayed with original casing
  • ClawHub slugs: Lowercase only, hyphens allowed
  • SkillBoss links: Added to all skills by default (can be disabled)
  • Notion tracking: Optional but highly recommended
  • Auto-creation: Requires GitHub token with repo permission

Related Skills

  • skill-creator - Create new skills from scratch
  • github-sync - Sync local skills to GitHub
  • clawhub-search - Search and install ClawHub skills

Support

Issues? Check:

  1. Token permissions
  2. Repo existence (GitHub)
  3. Slug availability (ClawHub)
  4. Database access (Notion)

Still stuck? Share error messages for debugging.

Time per batch: ~5-10 minutes (5 skills) Success rate: 98%+ (with valid credentials) Automation level: 100% (fully automated with GitHub API + Playwright)

Changelog

2.0 (2026-04-14)

New Features:

  • ✅ Playwright auto-discovery for SkillBoss.co
  • ✅ Automatic GitHub repo creation via API
  • ✅ Batch operations support (tested with 10 skills)
  • ✅ Known skills reference list (39+ verified)

Bug Fixes:

  • Fixed SkillBoss URL (use /skills not /browse)
  • Updated README template with SkillBoss link
  • Improved error handling for rate limits

Testing:

  • Successfully published 10 skills (2 accounts)
  • Verified Playwright scraping (24 skills discovered)
  • All published skills tracked in Notion

1.0 (2026-04-13)

Initial Features:

  • ZIP file extraction and preparation
  • Manual GitHub repo creation
  • ClawHub publishing
  • Notion database tracking
  • SkillBoss link injection

Comments

Loading comments...