Skill Publish
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves the wrong folder, slug, or metadata, content could be published publicly.
The skill documents a high-impact publish command, but it is directly tied to the skill purpose and explicitly gated on user approval.
Only after approval: npx clawhub publish <folder> --slug "<slug>" --name "<name>" --version "<version>"
Inspect the publish folder and confirm slug, name, version, description, and file list before approving the publish step.
Running the command may execute the current ClawHub CLI package available to npx.
The documented workflow invokes the ClawHub CLI through npx without pinning a package version; this is expected for the publishing workflow but depends on trusted package tooling.
npx clawhub publish <folder>
Use a trusted environment and consider pinning or verifying the ClawHub CLI version if reproducibility or supply-chain control matters.
Accidentally published private data or incorrect content may require a new version or support intervention to remediate.
The artifacts acknowledge that published skills can persist publicly, so a mistake in sanitization or approval may have lasting impact.
**Run this BEFORE any publish.** Public skills are permanent.
Treat the pre-publish review as the final checkpoint and verify that secrets, personal data, and internal references have been removed.