ClawHub

Marila Skill Publish

v1.0.8

用于发布和更新 OpenClaw 技能到 ClawHub,并同步 GitHub Release。用户提到“发布技能”“发到 ClawHub”“发布这个 skill”“写完就发布”“上线这个技能”等场景时使用。包含完整发布步骤、版本规范、发布前检查清单、GitHub Release 同步规则和常见问题处理。

1· 495·1 current·1 all-time
byMarila Wang@aliramw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the content: it's a publishing guide for ClawHub/GitHub releases. The declared required binaries (clawhub, git, gh) are exactly what the instructions use. No unexplained credentials, binaries, or config paths are requested.
Instruction Scope
The SKILL.md tells the user to run git/gh/clawhub commands and (optionally) copy SKILL.md into the agent workspace (~/.openclaw/workspace). Those actions are within a publishing guide's scope but include sensitive operations (authentication, network publish, and an explicit write to the agent workspace). The guide explicitly marks the workspace write as a sensitive operation and warns to perform it in a trusted environment, which mitigates but does not eliminate the need for user caution.
Install Mechanism
No install script or remote download is provided; this is instruction-only. Risk is low because nothing will be written or executed by the skill itself—actions happen only if the user runs the documented commands.
Credentials
The skill declares no required environment variables and the examples show how to declare env vars for skills you publish. It does not request unrelated secrets or broad credential access. The guide explicitly advises how to declare and document credentials for skills you publish.
Persistence & Privilege
always:false and no install means the skill does not persist or auto-install. The only persistence-related action in the guide is a manual cp to ~/.openclaw/workspace/skills to make an agent pick up a new SKILL.md; this is an explicit user action and is flagged in the docs as sensitive. Because the skill can be invoked by the agent (default), the user should be aware an agent could autonomously follow its own published workflow if configured to do so, but that is normal for skills.
Scan Findings in Context
[no_regex_findings] expected: The static regex scanner found nothing to analyze — this repo is instruction-only (no code files that run). The changelog and docs mention a fallback API endpoint (https://clawhub.ai/api/v1/skills) for manual publish; mentioning such an endpoint in documentation is expected for a publishing guide.
Assessment
This skill is a readable guide and appears coherent with its described purpose, but it documents commands that perform network operations and write to your agent workspace. Before using it: (1) review the SKILL.md and references locally; (2) ensure you control the GitHub repo and ClawHub account used for pushes/releases; (3) do not copy files into ~/.openclaw/workspace unless you trust the content and environment; (4) avoid pasting or running commands that include tokens or secrets; (5) run gh auth/login and clawhub whoami interactively so you control authentication; (6) if an agent will invoke this skill autonomously, confirm you want that behavior. If you need higher assurance, inspect any actual code you plan to publish (not just this guide) and verify metadata declarations match code behavior per the included checklist.

Like a lobster shell, security has layers — review code before you run it.

latestvk979x2pxbbe5z7trhqn4kpcye982n75c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsclawhub, git, gh

Comments