ClawHub Web Publisher

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI02: Tool Misuse and Exploitation

What this means

The selected skill folder may become publicly available on ClawHub under the current account.

Why it was flagged

The skill directs the agent to upload and publish a local directory through the web dashboard. This is the stated purpose, but publishing changes a third-party account/public listing.

Skill content

Select the local skill directory. ... Submit publish.

Recommendation

Before submission, confirm the exact folder, listing details, and that the user intends to publish publicly.

Note

ASI03: Identity and Privilege Abuse

What this means

Publishing will use the privileges of the active ClawHub browser session.

Why it was flagged

The workflow uses an existing authenticated ClawHub browser session. This is disclosed and expected for web-only publishing, but it relies on the authority of whichever account is currently signed in.

Skill content

Use the already signed-in browser session for dashboard upload.

Recommendation

Verify the browser is signed in to the intended ClawHub account before using the skill.