Skill Release
AdvisoryAudited by Static analysis on May 2, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could publish or update a public ClawHub skill and change the local SKILL.md version.
The skill is designed to modify the target skill version and run a publishing command. This is expected for a release helper, but it is a high-impact action if the wrong path, version, or changelog is used.
5. 自动更新 SKILL.md 中的 version ... 7. 运行:clawhub publish <path> --version <new-ver> --changelog "<txt>"
Use dry-run/check mode first, then explicitly confirm the target path, slug, version, and changelog before publishing.
The skill can act on your ClawHub account for publishing operations through the configured token/login.
The skill requires a ClawHub token or logged-in CLI session so it can publish under the user's account. That authority is disclosed and purpose-aligned, but sensitive.
requires:
env:
- CLAWHUB_TOKENUse an account or token with only the needed ClawHub permissions, and revoke or rotate it if you no longer use the skill.
You rely on the npm-distributed clawhub CLI and your local global npm environment.
The setup asks the user to globally install an external CLI package. This is central to the skill's purpose and user-directed, but it is an unpinned dependency.
npm i -g clawhub clawhub login
Install the CLI only from the expected npm package/source, consider pinning or auditing the version, and keep it updated.