Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Publish Tool
v1.0.4自动更新 GitHub 仓库并发布 Skill 到 ClawHub。当用户需要发布 skill 更新时使用此技能。支持自动版本号递增、更新日志管理、Git 提交推送、ClawHub 发布。
⭐ 0· 90·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: the script updates package.json/_meta.json and README, commits/pushes via Git, and runs npx clawhub publish. However the registry metadata omitted required runtime dependencies (SKILL.md and the script require Git and Node/npm/npx), so the declared requirements are incomplete.
Instruction Scope
The runtime instructions and included script perform the advertised actions, but the script builds shell command strings from user inputs (slug, changelog, commit message, paths) and executes them via subprocess.run(..., shell=True). This introduces command injection and quoting issues (e.g., unescaped double quotes or shell metacharacters in --changelog or --slug). The USAGE/FAQ also suggests potentially dangerous operations like force-push, which can overwrite remote history if followed blindly.
Install Mechanism
There is no install spec in the registry, but the script invokes 'npx clawhub@latest', which will dynamically download/run code from the npm registry. Dynamic npx usage is convenient but means code is fetched at runtime from an external package registry (not bundled), which is a moderate-risk behavior and should be noted to users.
Credentials
The skill declares no required environment variables or credentials, which aligns with most of its behavior. It does, however, rely on local Git credentials (credential helper or SSH keys) and possibly npm auth if ClawHub publishing requires authentication; these implicit requirements are not declared in metadata and should be documented.
Persistence & Privilege
The skill does not request permanent always:true inclusion, does not modify other skills, and only acts when invoked. It writes to files within the provided skill directory and may init a Git repo there — this is expected for a publisher.
What to consider before installing
This tool appears to implement the advertised publish workflow, but review and caution are advised before use:
- Review the script before running. It uses shell=True and composes shell commands with user-supplied inputs (slug, changelog, commit message). Malicious or accidental special characters can change commands or inject arbitrary shell commands. If you don't trust inputs, do not run it.
- Test in a throwaway repository first. Run with --skip-git and --skip-clawhub to verify file updates, then run with --skip-clawhub to validate Git behavior before publishing.
- Sanitize inputs you pass (avoid quotes, backticks, semicolons, &&, |, etc.) or modify the script to use subprocess.run([...], shell=False) and properly escape/quote arguments.
- Be cautious with the USAGE suggestions about force-push; force-pushing can irreversibly overwrite remote history.
- Consider installing/pinning clawhub instead of using npx @latest (npx downloads code at runtime). If you must use npx, prefer pinning a known-safe version rather than @latest.
- Ensure Git credentials and npm/ClawHub authentication are configured in a secure way (SSH keys or credential helpers), and avoid running the publish as root or in environments with broad access.
If you want a higher-confidence assessment, provide any CI usage examples, the expected format of ClawHub authentication (token vs interactive login), or allow me to suggest a minimal patch to remove shell=True and safely pass arguments to external commands.Like a lobster shell, security has layers — review code before you run it.
latestvk976nx1d2sxx6a13t1ncfatc1s83bbdr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.