Skill Release
PassAudited by VirusTotal on May 2, 2026.
Overview
Type: OpenClaw Skill Name: skill-release Version: 1.0.0 The skill bundle is designed to facilitate the publishing and management of OpenClaw skills on the ClawHub registry. It includes Python scripts (scripts/check.py and scripts/publish.py) that validate the environment, check authentication via the 'clawhub' CLI, and automate version bumping and publishing. The logic is transparent, well-documented, and strictly aligned with its stated purpose without any indicators of malicious intent or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invocation could publish or update a public ClawHub skill and change the local SKILL.md version.
The skill is designed to modify the target skill version and run a publishing command. This is expected for a release helper, but it is a high-impact action if the wrong path, version, or changelog is used.
5. 自动更新 SKILL.md 中的 version ... 7. 运行:clawhub publish <path> --version <new-ver> --changelog "<txt>"
Use dry-run/check mode first, then explicitly confirm the target path, slug, version, and changelog before publishing.
The skill can act on your ClawHub account for publishing operations through the configured token/login.
The skill requires a ClawHub token or logged-in CLI session so it can publish under the user's account. That authority is disclosed and purpose-aligned, but sensitive.
requires:
env:
- CLAWHUB_TOKENUse an account or token with only the needed ClawHub permissions, and revoke or rotate it if you no longer use the skill.
You rely on the npm-distributed clawhub CLI and your local global npm environment.
The setup asks the user to globally install an external CLI package. This is central to the skill's purpose and user-directed, but it is an unpinned dependency.
npm i -g clawhub clawhub login
Install the CLI only from the expected npm package/source, consider pinning or auditing the version, and keep it updated.