ClawHub

Clawhub Cli

v1.0.2

Use the ClawHub CLI to search, install, update, and publish agent skills from clawhub.ai. Use when you need to fetch new skills on the fly, sync installed sk...

4· 947·10 current·11 all-time
byopenlang@openlang-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (ClawHub CLI manager) align with the shipped docs and scripts. All files (SKILL.md, reference docs, and shell helpers) are focused on searching, installing, updating, publishing, and syncing skills via the `clawhub` CLI. There are no declared env vars, unrelated binaries, or config paths requested that would be out-of-scope.
Instruction Scope
SKILL.md gives concrete command patterns and guardrails. The instructions only direct the agent to run `clawhub` commands, prompt for login (interactive or token), and to inspect local skill folders before publishing. The shipped scripts run the `clawhub` CLI and check `--help` for supported flags; they do not read or exfiltrate arbitrary files or environment variables. The package also explicitly warns not to publish secrets, which matches the publish/sync functionality.
Install Mechanism
This is an instruction-only skill (no platform install spec). The playbook advises installing `clawhub` via `npm i -g clawhub` (or pnpm), which is reasonable given the CLI-based design, but it does require installing a global npm package in the environment. There is no bundled binary download or obscure URL; the install step relies on a public package ecosystem. Users should verify the `clawhub` package source and trustworthiness before installing globally.
Credentials
The skill declares no required environment variables or credentials. It sensibly instructs the user to login to the CLI (interactive or `--token <api-token>`), which is proportional and expected for a publish/sync tool. The docs repeatedly emphasize not to publish `.env` or other secrets. There are no unexpected credential requests or environment access attempts in the scripts or docs.
Persistence & Privilege
always is false and the skill does not request permanent system presence or modify other skills' configurations. The provided scripts are local helpers that invoke the `clawhub` CLI; they do not alter agent config or attempt privileged persistence.
Assessment
This package appears coherent and focused on managing ClawHub skills. Before using it: 1) Verify the authenticity of the `clawhub` npm package (check the package owner, homepage, and repository) before running `npm i -g clawhub` or installing globally. 2) When publishing or syncing, carefully review the folder contents and remove any `.env`, private keys, cloud credentials, or proprietary files — the skill's docs explicitly call this out. 3) Prefer using a token with minimal required scope for CLI login (not a broad admin key) and consider testing publish/sync with `--dry-run` or in a throwaway workspace first. 4) If you cannot verify the CLI package, run the provided scripts in an isolated environment (container or VM) to limit potential impact.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c9xm0v26kp9tp8be6x5vbm9833w2k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
OSLinux · macOS · Windows

Comments