ClawHub

ClawdHub Publish Helper

v1.0.1

Prepare and publish an OpenClaw skill to ClawHub. Handles PII/secret auditing, generalization, env var extraction, directory scaffolding, git init, and the c...

0· 71·0 current·0 all-time
by@cdmichaelb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the SKILL.md workflow (audit → generalize → git → publish). However the manifest declares no required binaries or env vars even though the instructions assume standard CLI tools (git, npx/Node, grep/grep-compatible shell utilities). This is likely an oversight but worth noting.
Instruction Scope
Instructions explicitly require reading every file in the skill directory, creating a separate copy, removing secrets/PII, running grep-based verification, and asking the user before publishing. Reading all files is necessary for an audit tool, but it also means the agent will see any secrets in the directory — the SKILL.md instructs reporting findings to the user rather than sending them externally, which is appropriate.
Install Mechanism
This is instruction-only (no install spec). The publish step uses `npx clawhub@latest publish`, which will fetch code from the npm registry at runtime — expected for invoking the official CLI but it does imply a network download/execution step that is not declared in an install spec. No arbitrary download URLs or extract operations are present in the skill itself.
Credentials
The skill declares no required environment variables or credentials. It suggests (as part of its process) creating and declaring env vars for the published skill, and references an optional CLAWHUB_DEFAULT_DIR env var for the output directory. No unrelated credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable. Model invocation is allowed (default), which is normal for skills. There is no request for permanent system changes beyond creating a publishable copy and initializing a git repository in that copy.
Assessment
This skill appears to do what it says, but be cautious before running it: 1) It will read every file in the skill directory — run it only on a directory you trust or on a copy. 2) Ensure git, Node/npm (for npx), and standard shell tools (grep, sed/awk if you use them) are available — the metadata does not declare these. 3) Inspect the generated publishable copy before running the npx publish command — the SKILL.md asks for user confirmation before publishing, and you should verify there are no remaining secrets and that the slug/version are correct. 4) Because npx downloads the CLI at publish time, ensure you trust the npm package being invoked (clawhub). If you want extra safety, perform the steps manually following this checklist rather than letting the agent run them autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97chxwzcvwdjdwvt78h7wb9z5849tt0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments