Skill Release
PassAudited by ClawScan on May 2, 2026.
Overview
This looks like a legitimate ClawHub publishing helper, but it uses your ClawHub login/token and can publish or update skills when you ask it to.
Install only if you intend to let the agent help publish to ClawHub. Before any publish/update, verify the target directory, generated changelog, version bump, and account identity; prefer dry-run/check workflows first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could publish or update a public ClawHub skill and change the local SKILL.md version.
The skill is designed to modify the target skill version and run a publishing command. This is expected for a release helper, but it is a high-impact action if the wrong path, version, or changelog is used.
5. 自动更新 SKILL.md 中的 version ... 7. 运行:clawhub publish <path> --version <new-ver> --changelog "<txt>"
Use dry-run/check mode first, then explicitly confirm the target path, slug, version, and changelog before publishing.
The skill can act on your ClawHub account for publishing operations through the configured token/login.
The skill requires a ClawHub token or logged-in CLI session so it can publish under the user's account. That authority is disclosed and purpose-aligned, but sensitive.
requires:
env:
- CLAWHUB_TOKENUse an account or token with only the needed ClawHub permissions, and revoke or rotate it if you no longer use the skill.
You rely on the npm-distributed clawhub CLI and your local global npm environment.
The setup asks the user to globally install an external CLI package. This is central to the skill's purpose and user-directed, but it is an unpinned dependency.
npm i -g clawhub clawhub login
Install the CLI only from the expected npm package/source, consider pinning or auditing the version, and keep it updated.