ClawHub

Kai Skill Creator

Create new OpenClaw skills that pass ClawHub validation on first attempt. Use when building a new skill for OpenClaw. Teaches the complete process from templ...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 89 · 0 current installs · 0 all-time installs
byBlaze🔥@ogdegenblaze
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included SKILL.md and helper script: both are about creating new OpenClaw skills. Declaring python3 (used to run the provided quick_validate.py step) is reasonable even though the helper bash script itself doesn't need Python.
Instruction Scope
Instructions operate on the user's OpenClaw workspace and config (copying templates, writing SKILL.md, editing ~/.openclaw/openclaw.json and running a validator). This is expected for a skill-creation tool, but the docs contain absolute user-specific paths (/home/kai/...) and recommend placing secrets into the OpenClaw config — the user should confirm those paths match their environment and avoid putting production secrets into repository files.
Install Mechanism
There is no install spec and only an instruction-only SKILL.md plus a small bash helper script; nothing is downloaded or written to disk by an installer step beyond what the user runs locally.
Credentials
The skill declares no required environment variables. The documentation shows how to declare and let OpenClaw inject env vars, and instructs adding secrets to ~/.openclaw/openclaw.json — functionally coherent, but storing secrets in local config should be done carefully (use least-privilege test keys and avoid committing secrets).
Persistence & Privilege
The skill does not request always:true and does not auto-enable itself. It tells the user how to copy the skill to global directories and edit the agent config, which is expected for publishing a skill and is not an elevated privilege in itself.
Assessment
This skill is coherent for building OpenClaw skills, but take these precautions before installing/using it: 1) Verify the absolute paths in SKILL.md (/home/kai/...) match your environment and update them if needed. 2) Review the create_skill.sh content locally to ensure it only does the expected file copies/renames and does not add unintended files. 3) Do not place production API keys in repository files; if you must add secrets to ~/.openclaw/openclaw.json, use test keys and ensure the file is not committed to source control. 4) Run the suggested validation locally (python3 quick_validate.py) and test your generated script with bash -n / functional runs before publishing. 5) If you plan to publish, confirm the template (kai-minimax-tts) is trustworthy and free of any external URLs or hidden endpoints.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.6
Download zip
creatorvk9768zfgvc15vj8za236p2z1j98387pdguidevk9768zfgvc15vj8za236p2z1j98387pdkaivk9768zfgvc15vj8za236p2z1j98387pdlatestvk9768zfgvc15vj8za236p2z1j98387pdskillsvk9768zfgvc15vj8za236p2z1j98387pd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

SKILL.md

Kai Skill Creator

Create OpenClaw skills correctly. Learned from getting kai-minimax-tts and kai-skill-creator to pass ClawHub scan.

Quick Start

1. Clone Template

cp -r /home/kai/.openclaw/workspace/skills/kai-minimax-tts /home/kai/.openclaw/workspace/skills/<NEW_SKILL>

2. Edit SKILL.md

CORRECT FRONTMATTER:

---
name: skill-name
description: What this skill does and when to use it
metadata:
  openclaw:
    requires:
      bins:
        - binary1
        - curl
      env:
        - API_KEY
---

# My Skill

Brief description...

## Usage
Commands and examples...

3. Write Script

chmod +x /home/kai/.openclaw/workspace/skills/<NEW_SKILL>/scripts/<script>.sh

4. Validate

python3 /home/kai/.nvm/versions/node/v22.22.1/lib/node_modules/openclaw/skills/skill-creator/scripts/quick_validate.py /home/kai/.openclaw/workspace/skills/<NEW_SKILL>

5. Copy to Global

cp -r /home/kai/.openclaw/workspace/skills/<NEW_SKILL> /home/kai/.openclaw/skills/<NEW_SKILL>

6. Register in Config

Add to ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "<SKILL_NAME>": {
        "enabled": true
      }
    }
  }
}

7. Publish

cd ~/.openclaw/workspace
npx clawhub publish skills/<SKILL_NAME> --slug <SKILL_NAME> --version 1.0.0 --tags "tag1,tag2"

⚠️ CRITICAL: What NOT to Do

❌ NEVER Hardcode API Keys

# FLAGGED!
API_KEY="sk-api-xxxxx"

❌ NEVER Load .env in Script

# FLAGGED! Security risk
source ~/.env

❌ NEVER Use homepage Key

# FLAGGED! Causes validation failure
homepage: https://example.com

❌ NEVER Mention External API URLs

# FLAGGED! External endpoint reference
Get key from: https://api.example.com

Keep docs minimal. Scanner interprets URL mentions as potential data exfiltration.

❌ NEVER Leave Env Vars Undeclared

# MISMATCH! Script uses $API_KEY but not declared
metadata:
  openclaw:
    requires: {}

❌ Script Syntax Errors

# Test your script before publishing!
bash script.sh --test
# If EOF error or syntax issues → FLAGGED

✅ The CORRECT Pattern

Declaring Requirements

metadata:
  openclaw:
    requires:
      env:
        - MINIMAX_API_KEY
        - CUSTOM_VAR
      bins:
        - curl
        - whisper

Using Env Vars (Auto-Injected)

# Just use directly - OpenClaw injects these
API_KEY="$MINIMAX_API_KEY"
curl -H "Authorization: Bearer ${API_KEY}" ...

Adding Secrets to Config

{
  "skills": {
    "entries": {
      "my-skill": {
        "enabled": true,
        "env": {
          "API_KEY": "actual_key_here"
        }
      }
    }
  }
}

Scanner Checks (What Gets Flagged)

The ClawHub scanner verifies:

  1. Coherence: Declared requirements match actual code
  2. No surprise permissions: Env vars/bins declared = actually used
  3. No data exfiltration: External URLs in docs = red flag
  4. Valid syntax: Scripts must parse without errors
  5. Purpose clarity: Description matches what code actually does

Green = purpose, permissions, and code all match.

Pre-Publish Checklist

  • No API keys hardcoded anywhere
  • No .env loading statements
  • All env vars declared in requires.env
  • All bins declared in requires.bins
  • No homepage key
  • No external API URLs in docs
  • Script has valid syntax (test it!)
  • Script produces expected output
  • Version bumped (1.0.0 → 1.0.1 → etc)
  • Validated with quick_validate.py

Troubleshooting

ProblemCauseFix
"Omits required env"Env var used but not declaredAdd to requires.env
"Binary not found"Wrong binary nameUse exact name, no path
"Unexpected permissions"More bins declared than neededRemove unused
"Purpose mismatch"Docs say one thing, code does anotherAlign description
"External endpoint"URL mentioned in docsRemove URL references
EOF/syntax errorScript has bash errorsFix syntax before publish

Testing Tips

Test script locally:

# With inline env var for testing
MINIMAX_API_KEY=test_key bash scripts/script.sh --speak "test" en

# Check syntax
bash -n scripts/script.sh

File Locations

PurposePath
Workspace skills~/.openclaw/workspace/skills/
Global skills~/.openclaw/skills/
Config~/.openclaw/openclaw.json
Validator/home/kai/.nvm/versions/node/v22.22.1/lib/node_modules/openclaw/skills/skill-creator/scripts/quick_validate.py
Template~/.openclaw/workspace/skills/kai-minimax-tts/

Updated 2026-03-20 - Full scan passage for kai-minimax-tts and kai-skill-creator

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…