skill-merge-and-republish
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s purpose is clear, but it tells the agent to delete local skill folders, commit changes, and republish to ClawHub without clear approval or rollback boundaries.
Only install or use this if you are comfortable letting the agent change local skill files and publish to ClawHub. Before running it, require a written merge plan, a file diff, a backup or branch, and explicit confirmation before deletion, commit, version bump, or publication.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken merge could remove or alter installed local skills and make the changes persistent in local history.
The skill instructs the agent to modify local skill behavior, delete a local skill folder, and commit changes, but it does not require explicit approval, a backup, or review of the exact files to be changed.
Merge the absorbed logic into the canonical `SKILL.md`. Remove the redundant local skill folder. Commit locally.
Require an explicit user-approved plan, show a diff, back up or branch before deletion, and confirm before committing.
The agent could publish changes under the user’s ClawHub authority if it has access to publishing tools or credentials.
Publishing to ClawHub uses delegated account or publisher authority, but the artifacts do not define credential scope, ownership checks, or confirmation requirements before publication.
Publish the updated canonical skill via `clawhub-publish-flow`.
Confirm the target owner, slug, version, and final content with the user before any publish action.
Incorrect merged instructions could be distributed through ClawHub and reflected in local registry tracking.
A local merge error can propagate into a versioned remote release and registry records, extending the impact beyond one local file.
Bump patch version. Publish the updated canonical skill via `clawhub-publish-flow`. Verify remote status. Update local registry sheet if it references both skills.
Use staged validation: review merged content locally, verify tests or checks, require user approval, then publish and update registry only after confirmation.