ClawHub Skill Publisher
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: lum-skill-publisher Version: 1.0.1 The skill's `SKILL.md` instructs the AI agent to install other skills from ClawHub into a temporary directory and then `read their SKILL.md + README.md` for analysis. This creates a significant prompt injection vulnerability, as the agent is directed to process markdown content from potentially untrusted external sources. A malicious skill's `SKILL.md` could contain instructions designed to hijack the analyzing agent's subsequent actions, potentially leading to arbitrary command execution, data exfiltration, or malicious modification of the user's skill draft before publishing, even though the skill itself does not exhibit direct malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may change README/SKILL content and publish a marketplace listing under the user’s account if the user follows or approves the workflow.
The skill is explicitly intended to edit local skill files and publish them to ClawHub. This is purpose-aligned, but file mutation and public publishing are high-impact actions that should be reviewed by the user before execution.
“patches your files to match marketplace standards, and walks you through `clawhub publish`.”
Review file diffs before accepting patches and require an explicit final confirmation before running `clawhub publish`.
Researching competitor skills may bring untrusted skill artifacts into the local environment.
The workflow installs third-party marketplace skills for research. This is central to the stated purpose and scoped to a temp directory, but the installed content is unpinned and comes from external publishers.
“Install top 3-5 results for analysis” and `clawhub install <slug1> --dir /tmp/ch-research --force`
Install only skills you intend to inspect, use a temporary directory as shown, avoid running installed skills, and consider pinning versions where the ClawHub CLI supports it.
A malicious or poorly written third-party skill document could try to influence the agent while it is being analyzed.
Other skills’ SKILL.md files are instruction-bearing documents. Reading them as research material is expected here, but the agent should treat their contents as untrusted data rather than instructions to follow.
“read their SKILL.md + README.md”
Instruct the agent to extract only marketplace-pattern facts from competitor files and to ignore any commands, role changes, or instructions contained in those files.
Actions taken by the workflow may be attributed to the user’s ClawHub account.
Publishing uses the user’s authenticated ClawHub CLI identity. This is expected for a publisher skill, and the artifacts do not show credential logging, hardcoded secrets, or unrelated account access.
`clawhub whoami` and `clawhub publish ./skills/<your-skill> --slug <your-slug>`
Confirm the active ClawHub account with `clawhub whoami` and publish only after reviewing the final content and metadata.