ClawHub

clawhub-deployer — Skill Publishing Assistant

v1.0.0

Publish a skill to ClawHub registry. Use when user asks to publish, release, or deploy a skill to ClawHub.

0· 55·0 current·0 all-time
byFuturize Rush@futurizerush
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the instructions (validate SKILL.md, prepare a text-only folder, run npx clawhub publish). However the SKILL.md invokes npx (Node.js/npm) and standard shell utilities (cp, mkdir, ls, head) but the skill metadata does not declare any required binaries — a small coherence gap.
Instruction Scope
Runtime instructions are narrowly scoped to preparing a publish folder, logging in, and invoking the ClawHub CLI. They do not request reading unrelated system files or exfiltrating data. They explicitly exclude .env and other non-text files.
Install Mechanism
There is no install spec (instruction-only). The workflow uses `npx clawhub@latest`, which will fetch code from npm at runtime — a normal choice for a CLI but introduces standard supply-chain risk (using the `@latest` tag means the fetched package can change over time). No arbitrary URLs or archives are used.
Credentials
The skill does not request environment variables, config paths, or credentials in its metadata. The login step uses the ClawHub CLI (interactive or token-based), which reasonably requires authentication but is not declared as an env variable here — acceptable but worth documenting.
Persistence & Privilege
The skill is not always-enabled and requests no system-wide persistence or privileged access. It does not modify other skills' configs or require elevated privileges.
Assessment
This skill is largely coherent for publishing to ClawHub, but check a few things before using it: ensure the agent environment has Node.js/npm available (the SKILL.md uses npx but the skill metadata doesn't declare that); prefer pinning a specific clawhub CLI version rather than `@latest` to reduce supply-chain risk; review the files that will be copied to confirm no secrets (API keys, .env contents, or private credentials) are included in the publish folder; be aware the workflow recommends removing LICENSE files because ClawHub enforces MIT-0 — make sure you understand and accept that license change before publishing. If you want higher assurance, run the npx commands manually or inspect the npm package source (https://www.npmjs.com/package/clawhub) before letting an agent invoke them.

Like a lobster shell, security has layers — review code before you run it.

latestvk977spym7bh1j8pathwyr1thyd84ckpq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments