ClawdHub Publish Helper

v1.0.1

Prepare and publish an OpenClaw skill to ClawHub. Handles PII/secret auditing, generalization, env var extraction, directory scaffolding, git init, and the c...

⭐ 0· 102·0 current·0 all-time

by@cdmichaelb

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cdmichaelb/clawhub-publish-helper.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "ClawdHub Publish Helper" (cdmichaelb/clawhub-publish-helper) from ClawHub.
Skill page: https://clawhub.ai/cdmichaelb/clawhub-publish-helper
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawhub-publish-helper

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawhub-publish-helper

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

ℹ

Purpose & Capability

The name/description match the SKILL.md workflow (audit → generalize → git → publish). However the manifest declares no required binaries or env vars even though the instructions assume standard CLI tools (git, npx/Node, grep/grep-compatible shell utilities). This is likely an oversight but worth noting.

ℹ

Instruction Scope

Instructions explicitly require reading every file in the skill directory, creating a separate copy, removing secrets/PII, running grep-based verification, and asking the user before publishing. Reading all files is necessary for an audit tool, but it also means the agent will see any secrets in the directory — the SKILL.md instructs reporting findings to the user rather than sending them externally, which is appropriate.

ℹ

Install Mechanism

This is instruction-only (no install spec). The publish step uses `npx clawhub@latest publish`, which will fetch code from the npm registry at runtime — expected for invoking the official CLI but it does imply a network download/execution step that is not declared in an install spec. No arbitrary download URLs or extract operations are present in the skill itself.

✓

Credentials

The skill declares no required environment variables or credentials. It suggests (as part of its process) creating and declaring env vars for the published skill, and references an optional CLAWHUB_DEFAULT_DIR env var for the output directory. No unrelated credentials are requested.

✓

Persistence & Privilege

always is false and the skill is user-invocable. Model invocation is allowed (default), which is normal for skills. There is no request for permanent system changes beyond creating a publishable copy and initializing a git repository in that copy.

Assessment

This skill appears to do what it says, but be cautious before running it: 1) It will read every file in the skill directory — run it only on a directory you trust or on a copy. 2) Ensure git, Node/npm (for npx), and standard shell tools (grep, sed/awk if you use them) are available — the metadata does not declare these. 3) Inspect the generated publishable copy before running the npx publish command — the SKILL.md asks for user confirmation before publishing, and you should verify there are no remaining secrets and that the slug/version are correct. 4) Because npx downloads the CLI at publish time, ensure you trust the npm package being invoked (clawhub). If you want extra safety, perform the steps manually following this checklist rather than letting the agent run them autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97chxwzcvwdjdwvt78h7wb9z5849tt0

102downloads

0stars

2versions

Updated 3w ago

v1.0.1

MIT-0

Publish Skill

Prepare and publish an OpenClaw skill to ClawHub. This skill codifies the audit → generalize → publish workflow.

When To Use

Publishing a new skill to ClawHub
Updating an existing published skill
When the user says "publish this skill", "prepare for publishing", "make a publishable copy"
NOT for installing skills from ClawHub (that's npx clawhub@latest install)

Workflow

Step 1: Audit the Live Skill

Before creating any copy, audit the source skill for secrets and PII:

Read every file in the skill directory recursively
Check for these categories of sensitive content:

Category	Examples	Action
Secrets	API keys, tokens, passwords, private keys	Must remove
Paths	Absolute paths (`/home/username/...`, `/Users/...`)	Replace with env var or `~` relative
Discord IDs	Channel IDs, user IDs, guild IDs, message IDs	Remove or replace with env var
Timezones	Hardcoded IANA timezone strings	Replace with env var
Personal data	Real names, emails, phone numbers, medication names	Remove or generalize
Network info	IP addresses, internal URLs, port numbers	Remove or replace with placeholders
Custom identifiers	User-specific labels, internal project names	Generalize

Report findings to the user before proceeding — do not silently modify

Step 2: Create Publishable Copy

Create a separate directory (never modify the live skill):

$CLAWHUB_DEFAULT_DIR/<skill-name>-skill/

Default base: ~/projects/skills (override via CLAWHUB_DEFAULT_DIR env var).

Directory structure:

<skill-name>-skill/
├── SKILL.md           # Manifest (generalized)
├── README.md          # User-facing docs
├── .gitignore         # Standard ignores
├── scripts/           # Script files (generalized)
├── references/        # Optional reference docs
└── ...                # Any other skill-specific files

Step 3: Generalize Content

For each file in the skill:

SKILL.md frontmatter:

Add env: block declaring all extracted env vars with descriptions and required/optional
Remove any personal identifiers from description

Scripts (Python, Shell, etc.):

Replace hardcoded paths with os.environ.get("VAR", fallback) / env var reads
Replace hardcoded timezones with env var (UTC fallback)
Remove now()/utc_now() fallbacks that bypass source timestamps — raise errors instead
Remove personal data (medication names become empty lists with edit instructions, etc.)
Remove dead code and unused imports

Documentation (Markdown):

Remove Discord IDs, channel names, user IDs
Replace personal examples with generic ones
Keep timezone/ID references only as example values (e.g. "e.g. America/Los_Angeles")
Remove internal URLs/IPs

Shell wrappers:

Use relative path resolution: SCRIPT="$(cd "$(dirname "$0")" && pwd)/tracker.py"
Remove hardcoded absolute paths

Step 4: Verify Clean State

Run a final grep across all files:

grep -rn "hardcoded_pattern1\|hardcoded_pattern2\|..." --include="*.py" --include="*.md" --include="*.sh" .

Verify:

No secrets or tokens remain
No absolute paths containing usernames
No Discord/user IDs
No personal data (real names, specific medication names, etc.)
Timezone strings only in examples/comments, never as runtime defaults
All config via env vars with sensible defaults

Step 5: Git Init and Commit

git init
git add -A
git commit -m "Initial publishable copy — no PII, no secrets"

Step 6: Publish (with user confirmation)

Always confirm with the user before publishing.

npx clawhub@latest publish --slug <skill-name> --version <version> --name "<display name>" /absolute/path/to/skill-dir

Gotchas:

Use absolute paths, not . — cwd may not propagate through exec/shell layers
--slug is required — without it, the CLI picks up the directory name
Slug naming is competitive — every generic name (publish-skill, skill-publisher, etc.) is likely taken. Pick something unique or namespaced (e.g. myname-publish-helper)
Rate limited — if you get slug collisions repeatedly, wait 50s between retries

Common version bumps:

New skill: 1.0.0
Bug fix: patch bump (e.g. 1.0.0 → 1.0.1)
New feature: minor bump (e.g. 1.0.0 → 1.1.0)

After publishing, report the slug, version, and install command to the user.

Common Patterns

Extracting env vars from hardcoded values

Before:

TIMEZONE = ZoneInfo("America/Los_Angeles")
WORKSPACE = "/home/user/.openclaw/workspace"

After:

TZ_STR = os.environ.get("MEDICATION_TIMEZONE", "UTC")
TIMEZONE = ZoneInfo(TZ_STR)
WORKSPACE = os.environ.get("WORKSPACE", os.path.expanduser("~/.openclaw/workspace"))

Replacing personal config with user-editable sections

Before:

MORNING_MEDS = ["RealMedA", "RealMedB"]
KNOWN_MEDS = ["RealMedA", "RealMedB", "RealMedC"]

After:

# Edit these lists to match your regimen
MORNING_MEDS: list[str] = []  # e.g. ["MedA", "MedB"]
KNOWN_MEDS: list[str] = []   # e.g. ["MedA", "MedB", "MedC"]

Removing timestamp fallbacks

Before:

dt_utc = datetime.fromisoformat(ts) if ts else datetime.now(timezone.utc)

After:

if not ts:
    raise ValueError("timestamp_utc is required — source message timestamp must be provided")
dt_utc = datetime.fromisoformat(ts.replace("Z", "+00:00"))

Changelog

Add --changelog <text> to the publish command for release notes. Example:

npx clawhub@latest publish --slug my-skill --version 1.1.0 --changelog "Added env var support, fixed timestamp handling" .

ClawHub CLI Reference

Command	Purpose
`npx clawhub@latest login`	Authenticate (browser callback)
`npx clawhub@latest whoami`	Verify auth
`npx clawhub@latest publish --slug X --version Y .`	Publish from current dir
`npx clawhub@latest inspect <slug>`	View published metadata
`npx clawhub@latest search <query>`	Search registry

Publish must run from inside the skill directory (requires SKILL.md in cwd).

Required Files

SKILL.md — this file
references/checklist.md — quick audit checklist

Notes

Never modify the live skill — always create a separate copy
The publishable copy should work for anyone who installs it with minimal config
If a skill can't be fully generalized (e.g. deeply personal workflows), document what the user needs to configure
ClawHub registry may not display env: frontmatter — that's a registry display issue, not a skill issue

Comments

Loading comments...