skill-merge-and-republish
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is coherent, but it directs the agent to delete local skill folders, commit changes, and republish to ClawHub without clear approval or permission boundaries.
Only install or use this skill if you are comfortable with an agent changing local skill files and publishing to ClawHub. Before running it, require a written merge plan, confirm which skill will be kept and retired, review the diff, ensure the correct ClawHub account is active, and approve publishing separately.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken merge decision could delete a local skill, commit undesired changes, or publish an incorrect skill update to ClawHub.
These are file mutation, deletion, version-control, and remote publishing actions. The workflow does not instruct the agent to pause for explicit user approval or show a diff before taking those high-impact actions.
3. Merge the absorbed logic into the canonical `SKILL.md`. 4. Remove the redundant local skill folder. 5. Commit locally. ... 8. Publish the updated canonical skill via `clawhub-publish-flow`.
Require an explicit user-approved plan before merging, show the final diff before deletion or commit, and require separate confirmation before publishing to ClawHub.
The agent may attempt to publish using whatever ClawHub credentials are available, which could update the wrong owner, workspace, or public listing.
Republishing to ClawHub uses delegated account authority, but the provided metadata declares no primary credential, required environment variables, or account scope, leaving the permission boundary unclear.
Publish the updated canonical skill via `clawhub-publish-flow`.
Declare the required ClawHub publishing authority and instruct the agent to confirm the target owner, slug, version, and account before publishing.
A bad merge or wrong canonical choice could spread from local files into committed history, ClawHub releases, and registry records.
The workflow chains local deletion, persistent commits, remote publishing, and registry updates. An error early in the merge can propagate across local and remote state without a stated containment or rollback step.
Remove the redundant local skill folder. 5. Commit locally. 6. Inspect the canonical remote skill on ClawHub. 7. Bump patch version. 8. Publish the updated canonical skill via `clawhub-publish-flow`. 9. Verify remote status. 10. Update local registry sheet if it references both skills.
Add staged checkpoints: dry-run analysis, user approval of kept/retired skills, backup or branch creation, diff review, separate publish approval, and documented rollback steps.