Clawhub Publishing Workflow

v1.0.3

Complete workflow for publishing OpenClaw skills to ClawHub - includes authentication troubleshooting, bot detection workarounds, and the mother skill philos...

⭐ 0· 112·1 current·1 all-time

by@stefanferreira

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stefanferreira/clawhub-publishing-workflow.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Clawhub Publishing Workflow" (stefanferreira/clawhub-publishing-workflow) from ClawHub.
Skill page: https://clawhub.ai/stefanferreira/clawhub-publishing-workflow
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawhub-publishing-workflow

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawhub-publishing-workflow

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The SKILL.md clearly documents a ClawHub publishing workflow, which matches the skill name/description. However, the registry metadata declared no required binaries or env vars while the instructions explicitly require the 'clawhub' CLI (npm install -g clawhub) and reference BrowserBase tooling — a minor inconsistency between declared requirements and the runtime instructions.

Instruction Scope

Instructions mostly stay within publishing tasks (login, publish, inspect). But they include guidance to bypass bot detection (use residential proxies, enable 'Camo Fox', 'stealth features') and explicit environment variable guidance for BrowserBase. Encouraging evasion of bot detection is scope-creep relative to a straightforward publishing workflow and could have legal/terms-of-service implications.

ℹ

Install Mechanism

The skill is instruction-only (no install spec). SKILL.md tells users to run 'npm install -g clawhub' which will execute code from the npm ecosystem. That is a normal recommendation for a CLI but is not declared in metadata; installing a global npm package can run arbitrary code — users should verify the package source and publisher before running.

Credentials

The declared requirements list no env vars, yet the instructions tell users to export BROWSERBASE_CAMO_FOX and BROWSERBASE_PROXY_TYPE and to obtain a ClawHub API token. The docs reference environment variables and a third-party BrowserBase service without justifying why those variables must be set on the host; the mismatch should be clarified and users should avoid exporting secrets into shells or CI without understanding implications.

✓

Persistence & Privilege

The skill is not force-enabled (always:false), is user-invocable, has no install-time persistence, and does not request elevated privileges or modify other skills. No persistence or privilege escalation is requested in the manifest or instructions.

What to consider before installing

This document is largely a coherent how-to for publishing to ClawHub, but review the following before proceeding: - Verify the 'clawhub' npm package: inspect its npm page/repository and confirm the publisher/trusted source before running 'npm install -g'. Global npm installs execute code on your machine. - Be cautious with tokens: the workflow uses a ClawHub API token — do not paste tokens into untrusted prompts, do not commit them to repos, and avoid storing them in plain files or shell history. - Proxy/stealth guidance is a red flag: instructions to use residential proxies, BrowserBase Camo Fox, or 'stealth' browsers are effectively instructions to bypass bot-detection. This can violate hosting/platform terms or local law; only follow such steps if you understand the legal and policy implications and you control the relevant accounts. - Metadata mismatch: the skill metadata declares no required binaries or env vars, yet the README asks you to install a CLI and set env vars. Ask the publisher (or inspect the upstream repo) to clarify required dependencies and exact command sources. - If you plan to proceed: test with a throwaway skill and throwaway account first, limit token permissions if possible, and run npm installs in an isolated environment (container/VM) until you confirm the tooling is trustworthy. If you want, I can list commands to verify the npm package (npm view, inspect repo) and show safer ways to run and audit the cli before installing globally.

Like a lobster shell, security has layers — review code before you run it.

latestvk97efnvycqpzw00vhzdh4kpw2d84vs86

112downloads

0stars

4versions

Updated 1w ago

v1.0.3

MIT-0

ClawHub Publishing Workflow 🚀

Description: Complete workflow for publishing OpenClaw skills to ClawHub - includes authentication troubleshooting, bot detection workarounds, and the mother skill philosophy.

Status: ✅ PRODUCTION READY (Version 1.0.0)

🎯 When to Use

Publishing a new skill to ClawHub for the first time
Updating an existing published skill
Troubleshooting ClawHub authentication issues
Understanding bot detection challenges with ClawHub
Implementing the "mother skill" philosophy

📋 Prerequisites

ClawHub CLI installed:
```
npm install -g clawhub
```
GitHub account (for ClawHub registration)
ClawHub API token from: https://clawhub.ai/settings/tokens

🚀 Complete Workflow

Phase 1: Authentication (DISCOVERED METHOD)

# Get token from ClawHub settings (format: clh_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
# Then use the CORRECT authentication method (discovered through trial and error):
clawhub login --token "YOUR_TOKEN_HERE" --no-browser

# Verify authentication:
clawhub whoami
# Should show: ✔ your-username

# WRONG METHODS WE TRIED:
# ❌ export CLAWHUB_TOKEN="token" (doesn't work)
# ❌ echo "token" > ~/.clawhub/token (doesn't work)
# ✅ clawhub login --token "token" --no-browser (CORRECT)

Phase 2: Skill Preparation

# 1. Create skill directory structure
your-skill/
├── SKILL.md
├── references/ (optional)
├── templates/ (optional)
├── scripts/ (optional)
└── assets/ (optional)

# 2. Validate skill structure
./scripts/validate.sh

# 3. Check for personal information (critical for community sharing)
grep -i "C:\\\\\\\\\|/home/\|password\|token\|secret" SKILL.md || echo "Clean"

Phase 3: Publishing

# IMPORTANT: Version must be valid semver (2.2.0 not 2.2)
clawhub publish /path/to/your-skill \
  --slug "your-unique-slug" \
  --name "Skill Display Name" \
  --version "1.0.0" \
  --changelog "Initial release"

# Slug rules:
# - Lowercase, hyphens only
# - Must be globally unique on ClawHub
# - If taken, append "-v2" or "-backup"

Phase 4: Verification

# Skill undergoes security scan (takes a few minutes)
clawhub inspect your-slug

# Once scan completes, skill is available at:
# https://clawhub.ai/s/YOUR_USERNAME/your-slug

⚠️ Pitfalls & Solutions (LEARNED FROM EXPERIENCE)

Pitfall 1: Bot Detection (Vercel Security Checkpoint)

Symptoms: "We're verifying your browser" page blocks authentication Solution:

Use token authentication (clawhub login --token --no-browser)
For browser auth: Enable Camo Fox + residential proxies in BrowserBase

Pitfall 2: Incorrect Authentication Methods

Symptoms: "Not logged in" despite having token Solution: Use exact command: clawhub login --token TOKEN --no-browser

Pitfall 3: Invalid Semver Version

Symptoms: "--version must be valid semver" error Solution: Use proper semver: "1.0.0", "2.2.0" (not "2.2")

Pitfall 4: Slug Conflicts

Symptoms: "Only the owner can publish updates" Solution: Check slug availability, use unique slug

✅ Verification Steps

Authentication Test

clawhub whoami
# Expected: ✔ username

Skill Structure Test

# Create validation script in your skill:
cat > scripts/validate.sh << 'EOF'
#!/bin/bash
echo "=== Skill Validation ==="
[ -f "SKILL.md" ] && echo "✅ SKILL.md exists" || echo "❌ SKILL.md missing"
EOF
chmod +x scripts/validate.sh

Publish Test

# No dry-run option available, so publish small test skill first

🦊 Bot Detection & Camo Fox

When Browser Auth is Required

If you need browser authentication (for token generation):

Enable Camo Fox in BrowserBase dashboard
Configure residential proxies
Use browser with stealth features enabled

Environment Variables for BrowserBase

export BROWSERBASE_CAMO_FOX=true
export BROWSERBASE_PROXY_TYPE=residential

🐕 Mother Skill Philosophy

A mother skill is:

Comprehensive: End-to-end solution for a specific problem
Battle-tested: Proven in real-world use
Community-evolved: Improves with community feedback
Branded: British dry humour + canine wisdom (optional but fun)

Brand Elements (Optional)

British phrases: "Right then", "Bob's your uncle", "Sorted"
Canine personas: Romeo, Luna, Buster, Thomas
Signature: "Put that in your pipe and smoke it!"

🔧 Troubleshooting Commands

# Check CLI version
clawhub -V

# Check authentication methods
clawhub auth --help

# Get token help
clawhub login --help

# List your published skills
# Visit: https://clawhub.ai/u/YOUR_USERNAME

📁 Example Skill Structure

clawhub-publish-mother-skill/
├── SKILL.md                    # Main documentation
├── scripts/
│   ├── validate.sh            # Validation script
│   └── test-publish.sh        # Test publishing
└── references/
    ├── checklist.md           # Publishing checklist
    └── camo-fox.md           # Bot detection guide

🔄 Version History

v1.0.0: Initial skill creation with discovered authentication method
v1.0.1: Added bot detection guidance and mother skill philosophy

🤝 Community Contributions

This skill documents approaches discovered through trial and error. If you find better methods, update and share!

HELL YEAH, ClawHub publishing mastered! 🎯

Based on real discovery: clawhub login --token TOKEN --no-browser British dry humour + canine personas optional but recommended

Comments

Loading comments...