ClawHub

OpenClaw Guide

v1.0.0

Authoritative OpenClaw guidance and documentation lookup. Provides accurate information about OpenClaw capabilities, configuration, and usage based on offici...

0· 241·1 current·1 all-time
byAndy Tien@linux2010
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is described as a docs-and-source lookup tool and the files and instructions align with that purpose. However, scripts/search_github.py calls the GitHub CLI ('gh') and expects to use it, yet the skill declares no required binaries or environment needs. That mismatch should be declared (gh binary and possible GitHub auth).
Instruction Scope
SKILL.md confines actions to official domains (docs.openclaw.ai and github.com/openclaw/openclaw), instructs web_search/web_fetch and cross-referencing with source code, and includes sensible response templates. The scripts do not read arbitrary local files or exfiltrate data in their current form.
Install Mechanism
There is no install spec (instruction-only) and included scripts are small and local. No downloads or archive extraction are requested, which is low risk from an install-perspective.
Credentials
The skill declares no required env vars, but search_github.py relies on the GitHub CLI which may use local GitHub credentials or require interactive auth; this implicit dependence on local credentials is not declared. Reference files mention local config paths (e.g., ~/.openclaw/config.json) as documentation pointers — the skill does not explicitly instruct reading them, but the presence of these paths could be misinterpreted.
Persistence & Privilege
always is false and there is no indication the skill requests permanent elevated privileges or modifies other skills or system-wide settings. Autonomous invocation is allowed by default and is not by itself a red flag here.
What to consider before installing
This skill appears to do what it says (look up docs and source), but take these precautions before installing: 1) Confirm provenance — the registry metadata has no homepage and the owner is an opaque ID; prefer skills with known authors. 2) The included scripts call the GitHub CLI ('gh') but the skill doesn't declare that requirement; if you install it, ensure 'gh' is present and understand that 'gh' may use your local GitHub credentials (so the skill could indirectly access repo data your account can access). 3) Review the scripts yourself (they are short) and consider running them in a sandboxed environment first. 4) If you want stronger safety, ask the maintainer to declare required binaries (gh) and any permissions needed, or to provide a version that uses only unauthenticated web fetches. 5) Limit agent autonomy or network access if you are uncomfortable with the skill executing CLI tools that may use local credentials.

Like a lobster shell, security has layers — review code before you run it.

documentationvk972n50j4hc6qww0dd7fbcmt2582b4q7guidancevk972n50j4hc6qww0dd7fbcmt2582b4q7latestvk972n50j4hc6qww0dd7fbcmt2582b4q7officialvk972n50j4hc6qww0dd7fbcmt2582b4q7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments