ClawHub
Back to skill
v1.0.0

ClawHub Web Only Publish

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:14 AM.

Analysis

This instruction-only skill is coherent for publishing to ClawHub, but it can act through your existing ClawHub session and optionally an existing CLI token, so review the account and files before publishing.

GuidanceInstall/use this only if you want the agent to help publish skills to ClawHub. Confirm the logged-in account, review the selected folder for secrets, and do not use the optional CLI fallback unless you intentionally want to publish with an existing CLI token.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Click "Publish skill"

The skill instructs a final publish action, which is purpose-aligned but can change public/account-visible content.

User impactA mistaken folder, slug, or version could publish the wrong skill or content.
RecommendationTreat the publish click as a final approval step; verify the folder, metadata, and secret scan before proceeding.
Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
If browser upload fails:
- Use existing CLI token (if already authenticated)
- Run: `clawhub publish <path> --version 1.0.0`

The artifact is framed as web-only, but it plainly documents an optional CLI publish fallback using an existing token.

User impactA user expecting strictly no CLI use may be surprised by the fallback path.
RecommendationUse the fallback only if you intentionally accept CLI publishing with an already-authenticated token.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
- Browser already logged in to https://clawhub.ai

The workflow depends on an existing authenticated ClawHub browser session, allowing publishing under the user's account.

User impactIf used in the wrong browser profile or account, the skill could publish under an unintended ClawHub identity.
RecommendationBefore publishing, confirm the visible ClawHub username/account and review the selected skill folder.