ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Itch.io Publisher

v0.1.1

Read itch.io creator stats and publish or update itch.io game builds from Windows using the itch.io server-side API and Butler. Use when the user asks to che...

0· 109·0 current·0 all-time
byStanislav Stankovic@stanestane

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for stanestane/itch-io-publisher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Itch.io Publisher" (stanestane/itch-io-publisher) from ClawHub.
Skill page: https://clawhub.ai/stanestane/itch-io-publisher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install itch-io-publisher

ClawHub CLI

Package manager switcher

npx clawhub@latest install itch-io-publisher
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md: all commands are about validating an itch.io API key, reading account/game stats from the itch.io API, installing Butler, and pushing builds. The skill does not ask for unrelated credentials or resources.
Instruction Scope
The SKILL.md instructs the agent to run explicit PowerShell commands that (a) call the itch.io API, (b) download a Butler zip and extract it, and (c) run butler.exe to dry-run or push builds. These actions are within the stated purpose, but they will perform network downloads, write files under %LOCALAPPDATA% and the system temp folder, and execute a downloaded binary — all of which are expected for this task and should be reviewed before running.
Install Mechanism
No formal install spec is present; instead, the SKILL.md downloads a Butler ZIP from broth.itch.zone and extracts it to %LOCALAPPDATA%\OpenClaw\tools\butler. broth.itch.zone is the known itch.io binary host, but this is still a network download and creates/extracts files on disk, so users should verify the source or checksum if they want extra assurance.
Credentials
The skill declares no required environment variables or primary credential. The runtime instructions expect the user (or agent) to supply an itch.io API key as $key and temporarily write it to a file in the temp directory for butler to read, then delete it. Requiring the API key is proportional to the task, but writing credentials to temp disk briefly has some risk (residual files if errors occur, possible exposure on multi-user systems).
Persistence & Privilege
always is false and the skill does not request elevated or system-wide modifications. It will create a per-user directory under %LOCALAPPDATA% and temp files, and execute the butler binary there; it does not change other skills or system-wide agent configuration.
Assessment
This skill appears to do what it claims, but review the PowerShell commands before running. Specifically: confirm you trust broth.itch.zone (the official itch.io binary host) before allowing the download and execution of butler.exe; consider installing Butler yourself or verifying a checksum; be careful supplying your itch.io API key — the script writes it to a temp file briefly, so ensure the environment is secure and confirm the token file is removed on error; always confirm source and target paths before doing a live push (use the dry-run first). If you need stronger protection, supply credentials via a secure secret store/Windows credential manager rather than pasting them into a temporary file.

Like a lobster shell, security has layers — review code before you run it.

latestvk974m788vrvtffp7knxktqbx7x857aaz
109downloads
0stars
2versions
Updated 1w ago
v0.1.1
MIT-0
Stanislav Stankovic@stanestane
latest
Download

itch-io-publisher

Keep this skill self-contained. Do not rely on bundled helper scripts being present. Run explicit PowerShell commands directly so the user can inspect exactly what will happen.

Workflow

  1. Validate the API key if needed.
  2. Read account and game stats if the user wants visibility first.
  3. Install Butler if it is missing.
  4. Dry-run a push before a live upload when the target or source path is new.
  5. Only do a live push after the user has identified the project target and local build source.

Key limits

  • The public server-side API is suitable for reading account and game data and for purchase or download-key verification.
  • Normal page editing is not exposed here; expect metadata edits to require the itch.io web dashboard.
  • Build publishing is done with Butler, not the read-oriented JSON API.

Validate key and read stats

Run this PowerShell directly:

$key = '<API_KEY>'
$base = "https://itch.io/api/1/$key"
$me = Invoke-RestMethod -Uri "$base/me" -Method Get -TimeoutSec 30
$games = Invoke-RestMethod -Uri "$base/my-games" -Method Get -TimeoutSec 30

$totalViews = 0
$totalDownloads = 0
$totalPurchases = 0
foreach ($game in $games.games) {
  $totalViews += [int]$game.views_count
  $totalDownloads += [int]$game.downloads_count
  $totalPurchases += [int]$game.purchases_count
}

[pscustomobject]@{
  account = $me.user
  totals = [pscustomobject]@{
    views = $totalViews
    downloads = $totalDownloads
    purchases = $totalPurchases
    games = @($games.games).Count
  }
  games = $games.games
} | ConvertTo-Json -Depth 8

Use this to validate the key, fetch profile info, list games, and summarize views, downloads, and purchases.

Install Butler

If Butler is not installed yet, run this PowerShell directly:

$dest = Join-Path $env:LOCALAPPDATA 'OpenClaw\tools\butler'
New-Item -ItemType Directory -Force -Path $dest | Out-Null
$zipPath = Join-Path ([System.IO.Path]::GetTempPath()) 'butler-windows-amd64.zip'
Invoke-WebRequest -Uri 'https://broth.itch.zone/butler/windows-amd64/LATEST/archive/default' -OutFile $zipPath -TimeoutSec 120
Expand-Archive -Path $zipPath -DestinationPath $dest -Force
& (Join-Path $dest 'butler.exe') version

This downloads the latest Windows Butler build from broth.itch.zone into %LOCALAPPDATA%\OpenClaw\tools\butler.

Push a build

Dry-run first when possible:

$key = '<API_KEY>'
$source = 'D:\path\to\build'
$target = 'username/game:html5'
$butlerDir = Join-Path $env:LOCALAPPDATA 'OpenClaw\tools\butler'
$butler = Join-Path $butlerDir 'butler.exe'
if (!(Test-Path $butler)) {
  throw "butler.exe not found. Install Butler first."
}
if (!(Test-Path $source)) {
  throw "Source path not found: $source"
}
$tmpDir = Join-Path ([System.IO.Path]::GetTempPath()) 'openclaw-itch'
New-Item -ItemType Directory -Force -Path $tmpDir | Out-Null
$tokenFile = Join-Path $tmpDir 'butler_creds.txt'
Set-Content -Path $tokenFile -Value $key -NoNewline
try {
  & $butler -i $tokenFile push $source $target --dry-run
}
finally {
  Remove-Item $tokenFile -Force -ErrorAction SilentlyContinue
}

Live push:

$key = '<API_KEY>'
$source = 'D:\path\to\build'
$target = 'username/game:html5'
$butlerDir = Join-Path $env:LOCALAPPDATA 'OpenClaw\tools\butler'
$butler = Join-Path $butlerDir 'butler.exe'
if (!(Test-Path $butler)) {
  throw "butler.exe not found. Install Butler first."
}
if (!(Test-Path $source)) {
  throw "Source path not found: $source"
}
$tmpDir = Join-Path ([System.IO.Path]::GetTempPath()) 'openclaw-itch'
New-Item -ItemType Directory -Force -Path $tmpDir | Out-Null
$tokenFile = Join-Path $tmpDir 'butler_creds.txt'
Set-Content -Path $tokenFile -Value $key -NoNewline
try {
  & $butler -i $tokenFile push $source $target --if-changed
}
finally {
  Remove-Item $tokenFile -Force -ErrorAction SilentlyContinue
}

Target format

Use Butler targets in the form:

  • username/game:channel
  • game_id:channel

Common HTML game channel names include html5 or web, but use the channel the user has configured on itch.io.

Safe defaults

  • Do not paste API keys back into chat unless the user explicitly asks.
  • Do not live-push to itch.io without a specific source path and target confirmed by the user.
  • Prefer dry-run first for a new project or channel.
  • If a push fails, inspect Butler's exact error rather than guessing.

Comments

Loading comments...