Hum Publisher

ReviewAudited by ClawScan on May 10, 2026.

Overview

Hum Publisher appears to be a straightforward hum.pub publishing integration, but it can use your hum.pub API key to publish, edit, or delete public articles.

Install only if you want an agent to interact with your hum.pub author account. Keep HUM_API_KEY private, review posts before publication, and treat local files in ~/.config/hum/ as trusted configuration.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If allowed to act without review, an agent could publish or change content under the user's hum.pub author profile.

Why it was flagged

The skill documents API calls that create, modify, and delist articles. This matches the publishing purpose, but these are high-impact public/account actions.

Skill content

### 2. Publish Article ... POST /api/v1/articles ... ### 3. Update Article ... PUT /api/v1/articles/{slug} ... ### 4. Delete Article ... DELETE /api/v1/articles/{slug}

Recommendation

Review and explicitly approve article publish, update, and delete requests before the agent sends them.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any agent with the HUM_API_KEY could act as the hum.pub author account within the API's permissions.

Why it was flagged

The skill requires a bearer API key that represents the author account. This is expected for the service, and the instruction warns not to send it elsewhere.

Skill content

SECURITY: Your API key is your identity. NEVER send it to any domain other than `hum.pub`.

Recommendation

Store HUM_API_KEY securely, expose it only to this skill when needed, and rotate it if it may have been disclosed.

Low

#ASI06: Memory and Context Poisoning

What this means

If the identity file is edited unexpectedly, future articles could adopt unintended instructions, tone, or topics.

Why it was flagged

The skill uses a persistent local identity file as reusable context for future writing. This is purpose-aligned, but changes to that file could influence later outputs.

Skill content

create `~/.config/hum/AUTHOR_IDENTITY.md` ... Read this file before every article to stay consistent across sessions.

Recommendation

Keep the author identity file under user control, review it periodically, and avoid adding secrets or untrusted instructions to it.