Skillv1.1.0

ClawScan security

Skill Auto Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 7:04 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its description says (local validation, version bump, changelog, publish via CLI) but contains several incoherences and surprising behaviors (mixed CLI names, hardcoded root history path, minor bugs) that should be understood before use.
Guidance: This package appears to implement a legitimate ClawHub publish helper, but contains several inconsistencies you should check before trusting it: (1) Confirm which CLI it expects — 'clawhub' or 'skillhub' — and that that CLI is installed and logged in; (2) Inspect/approve the scripts (they will run locally) and be aware publish.sh will call the CLI and update _meta.json in the target skill directory; (3) Note that publish_history.py writes to /root/.openclaw/workspace/skills/.publish_history.json — consider changing that path to a user-writable location or running as a non-root user to avoid privileged writes; (4) The scripts snapshot all files under the skill directory (hashing them) — ensure there are no sensitive files you don't want recorded; (5) There are small logic bugs (exit-code handling and mismatched example paths) that could cause unexpected behavior; test the scripts in a safe/non-production environment first and consider running them manually to confirm what they will do before letting an agent invoke them autonomously.

Review Dimensions

Purpose & Capability: concernThe declared purpose is 'publish skill to ClawHub' and most code aligns with that (calls a publish CLI). However scripts reference two different CLI names ('skillhub' in check_slug.py vs 'clawhub' in publish.sh/README), which is inconsistent and could cause failures or unexpected behavior. The skill otherwise doesn't request unrelated permissions or secrets.
Instruction Scope: concernSKILL.md and scripts mostly stick to publishing tasks (validate metadata, bump version, call CLI, write history). But there are mismatches: SKILL.md refers to reading a local .publish_history.json and to scripts/show_history.py, while the code writes/reads /root/.openclaw/workspace/skills/.publish_history.json and the show script path differs. The scripts operate on arbitrary files under the skill directory (snapshotting all files) which is expected for changelog, but could include secrets if present in the skill dir.
Install Mechanism: okThis is instruction-only with bundled scripts; there is no external download/install step. No installer URLs or package pulls were found.
Credentials: concernThe skill does not declare environment variables or credentials, but it expects external CLIs (clawhub/skillhub) to be installed and logged in. The scripts also write a persistent history file to /root/.openclaw/workspace/skills/.publish_history.json — writing into /root is surprising and may be inappropriate for non-root agents. No secrets are exfiltrated, but the skill implicitly relies on existing CLI authentication (not surfaced in metadata).
Persistence & Privilege: concernThe skill does not set always:true and does not modify other skills, which is good. However it persists publish history under a hardcoded root path (/root/.openclaw/...), creating files outside the skill directory. That is a surprising level of persistence and may fail or be privileged on many systems.