ClawHub

SkillUp

v0.1.9

SkillUp is a cross-platform skill publishing tool for packaging and syncing custom skills to GitHub, Xiaping Skill, OpenClaw CN, and ClawHub.

0· 123·0 current·0 all-time
by@cjke84
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and SKILL.md: scripts package and upload skill zips to GitHub, Xiaping, OpenClaw CN, and ClawHub. Required CLIs (gh, git, claw, clawhub) and tokens correspond to the advertised platforms and the primary credential (GitHub token) is reasonable for a publishing tool.
Instruction Scope
Runtime instructions and scripts operate on skill directories, create zip artifacts, call platform APIs/CLIs, and write structured results to artifact/result files. They read only expected files (manifest.toml, SKILL.md, config) and use environment tokens declared in metadata. They write temporary logs to /tmp and export tokens for CLI calls (GH_TOKEN, CLAWHUB_TOKEN, SKILLUP_OPENCLAW_TOKEN).
Install Mechanism
No install spec — instruction-only with included shell scripts. No downloads or archive extraction from arbitrary URLs. All code is local shell/python helpers; nothing is fetched or installed automatically by the skill itself.
Credentials
The skill requests four platform tokens (GitHub, Xiaping, OpenClaw, ClawHub). This is proportionate because the tool can publish to all four services; primaryEnv is GitHub as declared. Users should only populate tokens for platforms they intend to use. Additional env var CLAWHUB_TOKEN is supported as a fallback and appears in SKILL.md.
Persistence & Privilege
always is false and the skill does not request permanent elevated agent privileges. It can copy files into local agent skill directories in install-local mode (expected for an installer/publisher) but does not attempt to modify other skills' configs or system-wide agent settings beyond those operations.
Assessment
This skill appears to do what it says: packaging and publishing skills to the four listed platforms. Before using it: (1) review config.example.toml and fill only the tokens for platforms you want to publish to; (2) run with --dry-run to confirm behavior and artifact outputs; (3) be aware the scripts export tokens to invoke CLIs (GH_TOKEN, CLAWHUB_TOKEN, SKILLUP_OPENCLAW_TOKEN) and write logs to /tmp—treat these tokens as sensitive and rotate them if compromised; (4) note the openclaw helper temporarily sets NODE_TLS_REJECT_UNAUTHORIZED=0 for CLI calls (weakens TLS checks for that command), so prefer configuring a correct base_url/CA or avoid using the CLI against untrusted endpoints; (5) inspect and run the tool in a controlled environment (or container) if you don't fully trust the remote owner; and (6) use least-privilege tokens (scoped GitHub tokens) and test on a sample repo before wide use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dmk8njj41dtn53n7jbh47sd83j59b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, git, gh, claw, clawhub
Any binzip, python3
EnvSKILLUP_GITHUB_TOKEN, SKILLUP_XIAPING_API_KEY, SKILLUP_OPENCLAW_TOKEN, SKILLUP_CLAWHUB_TOKEN
Primary envSKILLUP_GITHUB_TOKEN

Comments