auto-publish-created-skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is transparent about automatically publishing new assistant-created skills to ClawHub, but it can change public listings using your logged-in account.
Before installing, confirm that you really want the assistant to publish assistant-created skills to ClawHub after your standing request. Review and commit each skill first, verify the logged-in ClawHub account, and inspect the referenced publish-flow script because it was not included in this artifact set.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the assistant may publish or update skills on ClawHub under the authenticated account.
The skill tells the agent to run a publishing workflow that can create or update a ClawHub skill release. This is purpose-aligned, but it is a high-impact remote account action.
Publish with `skills/clawhub-publish-flow/scripts/publish_to_clawhub.js`.
Use only if you want ongoing assistant-driven publishing, and consider requiring a final human confirmation before each publish.
Actions taken by the assistant may be attributed to the logged-in ClawHub account.
The workflow depends on the user's existing ClawHub login/session. The artifacts do not show credential theft or logging, but the skill will act with that account's publishing privileges.
local ClawHub session is authenticated
Verify which ClawHub account is logged in and ensure its permissions are appropriate before enabling this workflow.
The real safety of publishing depends partly on a separate local publish script not included in this artifact set.
The instruction references a helper script outside this instruction-only skill; that script was not part of the provided file manifest, so its implementation was not reviewed here.
Publish with `skills/clawhub-publish-flow/scripts/publish_to_clawhub.js`.
Review or trust the referenced ClawHub publish-flow script before relying on this skill.
A mistaken or incomplete local skill could become visible in ClawHub or related registry records if the preconditions are applied too loosely.
Publishing and registry updates can propagate assistant-created skill changes beyond the local workspace. The instructions include review and commit preconditions, which reduces but does not eliminate downstream impact.
Add or update the registry sheet if needed.
Keep the review/commit gate strict and verify the final published URL and version after each release.