Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Flow Hugo Publisher
v0.1.0Hugo 文章托管发布技能。用于检测 hugo/git 环境、管理工作目录、引导或初始化 Git 仓库、启动本地预览、执行提交,并通过 GitHub Actions 自动部署到可访问的 GitHub Pages。支持全托管执行与人工介入确认,并记录/读取用户当前工作目录与对应 Git 状态。
⭐ 0· 84·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the runtime instructions: the skill checks for hugo/git, manages a Hugo workspace, initializes themes, creates commits and a GitHub Actions workflow, and pushes to origin. All requested actions are consistent with a Hugo publisher.
Instruction Scope
The SKILL.md instructs the agent to read/write files in the user workspace (hugo config, themes, .github/workflows/*, static/CNAME) and persist a JSON state file at ~/.openclaw/state/hugo-publisher-state.json. It will run shell commands (git, hugo, mkdir, printf, etc.) and may push to remote Git remotes. These actions are expected for the stated purpose, but the skill will modify repository files and push changes if the user allows — review before pushing.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. No installation risk from external URLs; all operations are local shell commands and Git interactions.
Credentials
Registry metadata declares no required environment variables, which is acceptable because the skill relies on locally-configured git credentials (SSH keys or credential helpers) and network access to remote Git remotes. The SKILL.md does not attempt to read unrelated secrets. Users should be aware pushing requires existing Git authentication (not provided by the skill).
Persistence & Privilege
The skill persists state to ~/.openclaw/state/hugo-publisher-state.json and writes files inside the chosen workspace (including workflow files). always:false (no forced presence). Persisting its own state and creating repo files is coherent with its purpose, but these writes are permanent until the user removes them.
Assessment
This skill appears to do what it says: it will inspect and modify a Hugo workspace, create/modify files (themes, hugo config, .github/workflows/hugo-pages.yml, static/CNAME, a local deploy guide), run hugo and git commands, and may commit and push to your remote. Before installing or running it: 1) Prefer running it against a disposable or test repository first; 2) Ensure you understand which local directory you point it at — it will write files there and may run git init/add/commit/push; 3) Back up any important repo or verify branches/remotes to avoid accidental pushes to sensitive repos; 4) Confirm you have git/hugo installed and that your Git credentials (SSH key or credential helper) are configured — the skill assumes push/auth exist but does not request credentials; 5) Review the generated workflow file (.github/workflows/hugo-pages.yml) and deploy guide before pushing; 6) Use the skill’s manual intervention points (it documents them) to require confirmation before initializing git, committing, or enabling Actions. If you need the agent never to push autonomously, run it with manual-confirmation mode or avoid granting autonomous invocation to the agent in your environment.Like a lobster shell, security has layers — review code before you run it.
latestvk9797mv8cbhsmqw7fk7wzkqfhx83et4s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.