ClawHub

Release Discipline

v1.0.0

Enforce release discipline for AI agents and developers. Prevents version spam, forces quality checks before publishing, and maintains a 24-hour cooldown between releases. Use when the user wants to publish, release, deploy, or bump versions. Triggers on "release", "publish", "deploy", "version bump", "npm publish", "릴리즈", "배포", "버전".

0· 981·3 current·3 all-time
by@gyeuun97
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (release discipline) aligns with the instructions (cooldown, docs, feedback, principles). However, many checks require querying external systems (GitHub issues, npm downloads, ClawHub installs, user messages) that the skill does not declare as required or explain how to access. This may be legitimate if the platform already provides connectors, but the skill should document which integrations it expects.
!
Instruction Scope
SKILL.md tells the agent to read repo files (README.md, CHANGELOG, SOUL.md) and to query external sources and user messages. The instructions are fairly open-ended about how those checks are performed (e.g., 'Check: GitHub issues, npm downloads, ClawHub installs, user messages') which grants broad discretion. It also mandates writing a release log to memory/release-log.md. The scope is appropriate for a gatekeeper tool, but the lack of specificity increases risk of overreach (e.g., reading unrelated messages or repositories).
Install Mechanism
Instruction-only skill with no install spec or code files. Lowest-risk install profile because nothing is downloaded or written during install.
!
Credentials
The skill declares no required environment variables or credentials yet expects access to services that commonly need credentials (GitHub APIs, npm stats, ClawHub, and potentially private user messages). This mismatch either assumes privileged platform connectors or omits required auth declarations. That lack of transparency is a proportionality concern.
Persistence & Privilege
The skill does not request 'always:true' and does not modify other skills. It instructs the agent to write to memory/release-log.md and to run weekly reviews — both are reasonable for a release-tracking tool. Because model invocation is allowed, the agent could run checks autonomously; combined with the above concerns (access to messages/APIs) this increases the blast radius if run without clear constraints.
What to consider before installing
This skill conceptually matches a release-gating tool, but it assumes the agent can read GitHub issues, npm download stats, ClawHub installs, and user messages without declaring required credentials or describing how those integrations work. Before installing: 1) Confirm which connectors/credentials (GitHub token, npm access, message channel permissions, ClawHub) the agent will use and where they must be provided. 2) Verify where memory/release-log.md is stored and its retention/visibility. 3) If you don't want the skill to run autonomously, disable automatic invocation or require explicit user confirmation for every release. 4) Test the skill in a non-production environment to confirm it only accesses the repositories and message channels you expect. If the maintainer can update SKILL.md to list required integrations and limit the sources checked, the concerns will be largely addressed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c93kxyjs9vvpgvxwgtekx6h80ysvq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments