ClawHub

Clawhub Publish Best Practices

v1.0.1

ClawHub Skills 发布最佳实践和经验教训

0· 61·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md contents: a step-by-step best-practices guide for publishing ClawHub skills. It declares no binaries, env vars, or installs — which is appropriate for a documentation/checklist skill.
Instruction Scope
The instructions are operational publishing steps (view tracking files, check slugs, use 'clawhub publish' or 'clawhub sync', check rate limits, update logs). They reference workspace paths and common shell commands (cat, ls, head, simple for-loop with grep). Nothing in the document instructs reading unrelated secrets or transmitting data to external endpoints; the scope stays within publishing workflow. Note: it includes a 'clawhub sync' option which the document itself warns can scan all local skills — that is expected but worth being cautious about in practice.
Install Mechanism
No install spec and no code files. This is the lowest-risk form: purely instructional text with no downloads or archive extraction.
Credentials
No environment variables, credentials, or config paths are requested, which aligns with a documentation-only skill. The instructions do reference local workspace paths (e.g., /workspace/projects/...), so running the described commands will read local files — expected for a publish checklist but users should be aware that following the steps requires filesystem access in the workspace.
Persistence & Privilege
The skill is not always-on, does not request persistent installation or elevated privileges, and does not modify other skills' configuration. Autonomous model invocation is allowed by platform default but that is not unusual for an instruction-only skill.
Assessment
This skill is a documentation/checklist and is internally consistent with that purpose. Before using it: (1) confirm you trust any agent or user who will run the shell commands because they read and act on files under /workspace/...; (2) avoid running 'clawhub sync' unless you intentionally want a scan of all local skills (the doc warns this can attempt to publish local/private skills); (3) ensure the environment won't execute destructive commands (e.g., rm -rf) automatically; and (4) keep the tracking files (PUBLISHED_SKILLS_MAINTENANCE.md, etc.) in a secure workspace so publishing metadata isn't exposed. If you want extra safety, run the checklist steps manually rather than letting an agent invoke them autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk974fyw4m714gtp21gzm33n14584hyf6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments