ClawHub

Clawhub Release Auditor

v0.2.1

Validate, package, and verify ClawHub skills before and after publishing. Use when creating or updating a ClawHub skill, preparing a release, diagnosing repe...

0· 94·0 current·0 all-time
bywuu Dao@daowuu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and SKILL.md: the scripts implement preflight checks, packaging/verify helpers, history analysis, and release-diff checks. Required binaries (clawhub, openclaw) are reasonable for these operations.
Instruction Scope
SKILL.md instructs running included scripts that read a local skill directory, run packaging validation, and call 'clawhub inspect' for remote verification — all in-scope for a publishing auditor. The scripts scan source files for undeclared env vars/binaries but do not exfiltrate secrets or make unexpected external network calls beyond the expected 'clawhub' CLI usage.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts). No downloads or archive extraction are performed by the skill itself. Scripts are shipped with the skill and executed locally.
Credentials
The skill declares no environment variables and requests no credentials. The code inspects source files to detect env usage but does not itself read or require secrets. No unrelated credentials are requested.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does not request permanent presence, does not modify other skills, and does not change system-wide agent configuration.
Assessment
This skill appears to implement exactly what it claims: local preflight checks, packaging validation, and post-publish verification via the 'clawhub' CLI. Before installing or running it, note a few practical cautions: (1) The scripts invoke your local packaging script at ~/project/openclaw/skills/skill-creator/scripts/package_skill.py — that path is an environment assumption and may not exist on your machine; verify or adjust the path before running. (2) The tools will run subprocesses (clawhub inspect, package_skill), which will interact with the network and run whatever logic those CLIs/scripts perform — review package_skill.py and ensure you trust it in your environment. (3) The preflight scanner reads files under the skill dir to detect undeclared env vars and binaries; it does not exfiltrate data, but it will report what it finds. If you want extra caution, run the scripts in a restricted or sandboxed environment and inspect the included Python files (they are short and readable) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk977qe4e79vydz1gk11w5ha7jh83mcyt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsclawhub, openclaw

Comments