Clawhub Publisher
v1.0.0Automate skill publishing to ClawHub with versioning, changelog generation, asset bundling, metadata validation, and one-command deployment.
⭐ 0· 1.1k·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a 'ClawHub Publisher' (publishing, changelogs, bundling, analytics) and shows example usage that requires an external package (clawhub-publisher) and an environment variable (process.env.CLAWHUB_API_KEY). However, the skill bundle contains no runtime code or binaries, and the registry metadata lists no required environment variables or primary credential. That mismatch (described capability vs. actual footprint) is incoherent: either this skill is only documentation/instructions or it omits critical required credentials and code.
Instruction Scope
The SKILL.md stays within the publishing domain (reading a skillPath, generating changelog from git, interacting with ClawHub via an API key). It does instruct use of git metadata and local skill directories (skillPath), which is expected for a publisher. However, the instructions reference an environment variable (CLAWHUB_API_KEY) and remote operations (publishing, analytics, team management) that are not declared in the registry metadata—this is a scope/requirements mismatch that should be reconciled.
Install Mechanism
There is no install spec in the registry bundle; SKILL.md tells users/agents to run npm or pip installs (npm install clawhub-publisher). That means runtime behavior depends on fetching an external package from package registries. The package.json in the bundle references an index.js and a CLI, but those files are not included in this skill bundle. This forces installing and executing external code to get the described functionality—reasonable for a publisher tool but higher risk because the bundle doesn't include or verify that external code.
Credentials
The example usage and CI instructions require an API key (CLAWHUB_API_KEY) and possibly other secrets (CI secrets for GitHub Actions). Yet the registry metadata declares no required env vars or primary credential. Requesting an API key for publishing is reasonable, but not declaring it in metadata and not providing the implementation to show how it's used is a red flag. Ensure only a service-scoped publishing token is requested and that the skill does not ask for unrelated credentials.
Persistence & Privilege
The skill does not request persistent always-on presence and default autonomy settings are unchanged. There is no evidence it modifies other skills or global agent config. No persistence/privilege escalation indicators in the provided files.
What to consider before installing
This skill's documentation shows a publisher that requires installing an external npm/pip package and an API key (CLAWHUB_API_KEY), but the distributed bundle contains only documentation and package metadata (no index.js or CLI), and the registry metadata does not declare the API key requirement. Before installing or giving any secrets: 1) Verify the referenced package exists on npm/PyPI and inspect its source (or the GitHub repository) to confirm behavior and trustworthiness; 2) Confirm the CLAWHUB_API_KEY is the only credential required and that it can be scoped to publishing (not a full admin/other-service key); 3) Prefer to run installs in an isolated environment (sandbox/container) and audit the package contents before running; 4) Ask the publisher to update registry metadata to list required env vars and include or link to the implementation so you can review it. If you cannot inspect the external package or repository, treat this skill as higher risk and avoid providing sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9779sjmd41h39tfwe7pys4vv180w7r6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.