skill-merge-and-republish
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: skill-merge-and-republish Version: 0.1.0 The skill bundle provides a legitimate workflow for merging overlapping local skills and republishing the result to ClawHub. The instructions in SKILL.md involve standard administrative tasks such as reading files, deleting redundant local folders, and executing a publishing command (clawhub-publish-flow), all of which are consistent with the stated purpose and show no signs of malicious intent or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken merge decision could delete a local skill, commit undesired changes, or publish an incorrect skill update to ClawHub.
These are file mutation, deletion, version-control, and remote publishing actions. The workflow does not instruct the agent to pause for explicit user approval or show a diff before taking those high-impact actions.
3. Merge the absorbed logic into the canonical `SKILL.md`. 4. Remove the redundant local skill folder. 5. Commit locally. ... 8. Publish the updated canonical skill via `clawhub-publish-flow`.
Require an explicit user-approved plan before merging, show the final diff before deletion or commit, and require separate confirmation before publishing to ClawHub.
The agent may attempt to publish using whatever ClawHub credentials are available, which could update the wrong owner, workspace, or public listing.
Republishing to ClawHub uses delegated account authority, but the provided metadata declares no primary credential, required environment variables, or account scope, leaving the permission boundary unclear.
Publish the updated canonical skill via `clawhub-publish-flow`.
Declare the required ClawHub publishing authority and instruct the agent to confirm the target owner, slug, version, and account before publishing.
A bad merge or wrong canonical choice could spread from local files into committed history, ClawHub releases, and registry records.
The workflow chains local deletion, persistent commits, remote publishing, and registry updates. An error early in the merge can propagate across local and remote state without a stated containment or rollback step.
Remove the redundant local skill folder. 5. Commit locally. 6. Inspect the canonical remote skill on ClawHub. 7. Bump patch version. 8. Publish the updated canonical skill via `clawhub-publish-flow`. 9. Verify remote status. 10. Update local registry sheet if it references both skills.
Add staged checkpoints: dry-run analysis, user approval of kept/retired skills, backup or branch creation, diff review, separate publish approval, and documented rollback steps.