ClawdHub Publish Helper

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill coherently helps prepare and publish OpenClaw skills, with publishing gated by user confirmation.

Install this only if you want an agent to inspect a skill directory for sensitive content and prepare a publishable copy. Review the generated files before approving any `npx clawhub@latest publish` command, because publishing can make the skill contents public.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README advertises very broad invocation phrases like "publish this skill" and "prepare for publishing," which can overlap with ordinary user requests and cause the skill to activate unintentionally. Because this skill performs sensitive publishing-related actions and references a workflow that includes auditing, git initialization, and publishing, accidental triggering could lead to unintended disclosure or release preparation if the runtime uses phrase-based routing.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal