ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawmart Upload

v1.5.5

Upload your current OpenClaw configuration to the ClawMart marketplace

1· 141·1 current·1 all-time
by@rxdaozhang

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for rxdaozhang/clawmart-upload.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Clawmart Upload" (rxdaozhang/clawmart-upload) from ClawHub.
Skill page: https://clawhub.ai/rxdaozhang/clawmart-upload
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawmart-upload

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawmart-upload
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (upload OpenClaw config to ClawMart) matches the runtime instructions: reading ~/.openclaw/workspace, collecting OpenClaw files and local skills, building a JSON payload, and sending it to a ClawMart API with a user-provided token. Writing a small config file to ~/.openclaw/clawmart-config.json to store the token is consistent with the stated purpose.
Instruction Scope
Instructions are precise about paths (~/.openclaw/workspace, lock.json, skills/). They include a scan for sensitive patterns and will prompt the user if any are found, but they do not automatically scrub secrets — if the user confirms, those files will be uploaded. This is coherent with the upload purpose but increases the risk of accidental secret exfiltration if the user approves an upload without removing secrets first.
Install Mechanism
Instruction-only skill with no install spec and no binaries to install or run. No code is written by the installer beyond the normal write-to-home behavior described in the SKILL.md (saving the API token).
Credentials
The skill requests no environment variables or external credentials automatically, but it instructs the user to paste a ClawMart API token which it will save to ~/.openclaw/clawmart-config.json in plaintext. That is proportional to the upload task, but users should be aware their token will be stored locally and that the skill can send any file confirmed for upload to the specified base URL.
Persistence & Privilege
always is false and the skill does not request system-level privileges. It will write a single config file in the user's OpenClaw config directory and read the workspace directory as needed—behavior consistent with its purpose.
Assessment
Before installing or running this skill: (1) Verify the upload endpoint (the SKILL.md targets https://clawmart-gray.vercel.app) is the official ClawMart service you trust. (2) Review the list of files the skill will package; remove or redact any secrets (API keys, passwords, tokens) before uploading — the skill will warn if it finds patterns but will upload if you confirm. (3) Be aware the provided token is stored in ~/.openclaw/clawmart-config.json in plaintext. (4) If you have doubts about the target domain or the origin of this skill (source/homepage unknown), consider manually packaging and uploading instead of giving the agent direct permission to read your workspace and send data.

Like a lobster shell, security has layers — review code before you run it.

latestvk978nb4jqadrf4fpn8prq48j5x83xnet
141downloads
1stars
11versions
Updated 4w ago
v1.5.5
MIT-0
@rxdaozhang
latest
Download

ClawMart Upload Skill

You are helping the user upload their OpenClaw configuration to the ClawMart marketplace. Follow these steps exactly and in order.

Configuration

  • ClawMart API base URL: https://clawmart-gray.vercel.app
  • Config file: ~/.openclaw/clawmart-config.json
  • API endpoint: POST {base_url}/api/packs

Step 1: Check API Token

Read ~/.openclaw/clawmart-config.json. If the file does not exist or token is empty:

Tell the user:

You need a ClawMart API Token to upload. Please visit https://clawmart-gray.vercel.app/dashboard/tokens to generate one, then paste it here.

Once the user provides a token (format: cm_ followed by hex characters), save it:

{
  "token": "<user_provided_token>",
  "base_url": "https://clawmart-gray.vercel.app"
}

Write this to ~/.openclaw/clawmart-config.json.

Step 2: Scan Workspace Files

Scan ~/.openclaw/workspace/ for OpenClaw configuration files. Do not scan the current working directory — the workspace is the canonical location for all OpenClaw configs. OpenClaw supports two naming conventions — match either format:

Default format (no prefix)Prefixed formatType
SOUL.md*.soul.mdSOUL
AGENTS.md*.agents.mdAGENTS
BOOT.md*.boot.mdBOOT
HEARTBEAT.md*.heartbeat.mdHEARTBEAT
MEMORY.mdmemory_*.json or memory-*.jsonMEMORY
IDENTITY.mdIDENTITY
TOOLS.mdTOOLS
USER.mdUSER
BOOTSTRAP.mdBOOTSTRAP
skills/*.skill.md or skills/*/SKILL.mdLOCAL SKILLS

Exclude any skill whose slug starts with clawmart- — these are ClawMart utility skills and should never be packaged or referenced in a user pack.

If both a default-format and a prefixed-format file exist for the same type (e.g., SOUL.md AND claude.soul.md), include both and note the duplication to the user.

Skill Classification

Read ~/.openclaw/workspace/.clawhub/lock.json. This file is the authoritative record of all skills installed from clawhub.

For each skill subfolder in ~/.openclaw/workspace/skills/:

  • Slug is in lock.json → installed from clawhub. Read slug and version from lock.json. Record as metadata only — file contents are not included in the zip.
  • Slug is NOT in lock.json → user-authored locally (never installed from clawhub). Include the full SKILL.md content in the zip under skills/.

Do not use _meta.json presence to classify skills — it is unreliable. Do not scan any other directories.

Show the user a summary:

Found the following OpenClaw configuration files:

SOUL:          SOUL.md
AGENTS:        AGENTS.md
IDENTITY:      IDENTITY.md
HEARTBEAT:     HEARTBEAT.md
MEMORY:        MEMORY.md
TOOLS:         TOOLS.md
USER:          USER.md
CLAWHUB SKILLS (installed via clawhub, metadata only):
  - <skill-slug-1>   (v1.0.0)
  - <skill-slug-2>   (v2.1.0)
LOCAL SKILLS (not in clawhub, full content included):
  - <my-custom-skill>

Include all? Or exclude specific files? (all / enter filenames to exclude)

If lock.json does not exist, treat all skills as clawhub skills and note this to the user.

Wait for user confirmation before proceeding.

Step 3: Sensitive Information Check

Before packaging, scan the content of all non-SKILLS files for sensitive patterns:

  • Strings matching (sk-|cm_|ghp_|ghs_|ghu_)[A-Za-z0-9]{20,} (API keys/tokens)
  • Strings matching (password|passwd|secret|api_key)\s*[:=]\s*\S+ (credentials)
  • Any string longer than 20 chars after Bearer or Token

If any sensitive pattern is found, tell the user exactly which file and line, and ask:

Sensitive information detected in {filename} at line {line}: {masked_value}. It is recommended to remove it before uploading. Continue anyway? (y/n)

Only proceed if user says yes.

Step 4: Collect Pack Metadata

Ask the user for:

  1. Title: What is the name of this Pack? (e.g., Deep Research Analyst)
  2. Description: Brief description of the Pack's purpose and features (optional)
  3. Version: Version number? (default: 1.0.0)

Check ClawMart if the user already has a pack with the same title:

GET {base_url}/api/packs/search?q={title}
Authorization: Bearer {token}

If a matching pack already exists, ask:

A pack named "{title}" already exists. Upload as new version {new_version}? (y/n)

If yes, note this for the upload.

Step 5: Build Upload Payload

Construct the files array for the JSON payload:

  1. For each non-skill OpenClaw file confirmed in Step 2, add:

    { "name": "<filename>", "content": "<full file text>" }

    Use just the filename (no path prefix) — e.g., "SOUL.md", "AGENTS.md", "memory_projects.json".

  2. For each local skill (user-authored, no _meta.json) confirmed in Step 2, add:

    { "name": "skills/<filename>", "content": "<full SKILL.md text>" }

    Preserve the skills/ prefix so the server can classify them correctly.

  3. If there are any external (clawhub) skills, add a skills-manifest.json entry:

    {
  "name": "skills-manifest.json",
  "content": "{\"clawhub_skills\": [{\"slug\": \"...\", \"version\": \"...\", \"ownerId\": \"...\"}]}"
}

    Only include this entry if there is at least one external skill.

Step 6: Upload to ClawMart

Send the upload request:

POST {base_url}/api/packs
Authorization: Bearer {token}
Content-Type: application/json

{
  "title": "<user provided title>",
  "description": "<user provided description>",
  "version": "<version>",
  "files": [ ...files array from Step 5... ]
}

On success (HTTP 201), tell the user:

Pack "{title}" has been submitted for review. It is typically approved within 24 hours. View status: {base_url}/dashboard/packs

On error, show the error message and stop.

Notes

  • Local skill file contents are included directly in the JSON payload under the skills/ prefix
  • External skills are recorded in skills-manifest.json — slug, version, and ownerId only, no file content
  • The token is stored locally and reused on future uploads
  • If the token is rejected (401), ask the user to generate a new one at {base_url}/dashboard/tokens

Comments

Loading comments...