ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

my_skill_management_skill

v1.0.1

管理和发布用户自定义技能的统一接口。强制执行“my_”前缀、统一存放目录(~/.openclaw/skills)、基于配置文件(skills.json)的智能体绑定规则,并要求本地技能变更后必须立即通过clawhub上传备份。

0· 123·1 current·1 all-time
by@canonxu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for canonxu/my-skill-management-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "my_skill_management_skill" (canonxu/my-skill-management-skill) from ClawHub.
Skill page: https://clawhub.ai/canonxu/my-skill-management-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install my-skill-management-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install my-skill-management-skill
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and script clearly implement a clawhub wrapper (publish/install/search), which matches the stated purpose. However the registry metadata lists no required binaries, while the script depends on the 'clawhub' CLI being present. That omission is an incoherence: if the skill needs clawhub, it should declare that dependency or include an install step.
!
Instruction Scope
The instructions require placing user skills in a global directory (~/.openclaw/skills), editing per-agent config files (~/.openclaw/agents/{agent_name}/skills.json) to bind skills, and mandate immediate upload of any local changes to clawhub. Those are governance actions outside a single-skill scope (they modify agent configuration and move user code into a global namespace) and they explicitly create a workflow that will transmit local skill code to a remote service.
Install Mechanism
No install spec is present and the only code is a small shell helper that calls the existing 'clawhub' binary. No downloads or archives are fetched. This is low install risk, but it relies on an external binary that wasn't declared.
!
Credentials
The skill requests no env vars or credentials, yet its publish action will likely require clawhub authentication (not declared). The mandatory 'upload on any change' policy means local skill source (possibly sensitive) will be sent to whatever clawhub instance the environment uses — a potential exfiltration vector. Also enforcing a global skills directory increases the skill's blast radius across agents.
!
Persistence & Privilege
The skill does not set always:true, which is good, but it explicitly requires modifying per-agent configuration files and centralizing skills in a global path. That means installing/using this skill can change other agents' behavior or make skills available across agents, so it has cross-agent impact beyond a single-skill scope.
What to consider before installing
This skill is a governance wrapper around the 'clawhub' CLI and will cause local skill code to be uploaded to your clawhub instance whenever changes occur. Before installing: (1) verify which 'clawhub' binary and service/host will be used and whether that service is trusted; (2) confirm how authentication for clawhub is handled (the skill does not declare or request credentials but publishing usually requires them); (3) be cautious about the rule enforcing a global directory (~/.openclaw/skills) and editing agent configs—this makes local skills available to other agents and could propagate sensitive code; (4) ask the publisher for source code repository or homepage and for detail on where backups are stored and retention/policy; (5) if you must try it, run it in an isolated account or environment and audit the clawhub target before enabling automatic publish behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk977h3v8h9272mzcwvy6knymkd83xx76
123downloads
0stars
2versions
Updated 4w ago
v1.0.1
MIT-0
@canonxu
latest
Download

my_skill_management_skill

Purpose (目的)

A wrapper for clawhub to standardize the publishing, installation, and governance workflow for custom user-created agent skills.

Core Rules (核心规则与约束)

  1. 范围限制 (Scope Limit):本技能仅适用于用户自己创建的专属技能。所有用户自定义的技能名称必须以 my_ 开头(例如 my_stock_report_skill)。
  2. 统一目录 (Directory Standard):用户自己创建或修改的专属技能,必须统一放置在全局目录 ~/.openclaw/skills/,不允许存放在各智能体单独的工作区目录中。
  3. 智能体绑定规则 (Agent Binding):如果要把某个技能绑定给指定的 Agent,必须去修改对应 Agent 的配置文件(即 ~/.openclaw/agents/{agent_name}/skills.json),将技能名加入到 "enabled_skills" 列表中。禁止在 SKILL.md 中硬编码“仅限 xxx 使用”等文字描述来实现绑定。
  4. 实时备份要求 (Auto-Backup/Publish):我本地的自定义技能(my_ 开头)发生任何变更(新增或修改)后,应当立即使用 clawhub 命令(或 helper 脚本)将最新版本上传备份,确保云端与本地实时同步。

Commands (命令)

1. Publish (上传与备份)

Standardize publishing with mandatory versions and changelogs.

bash scripts/clawhub_helper.sh publish <path> <version> "<changelog>"

或者直接使用原生的 clawhub 命令进行发布(推荐):

clawhub publish ~/.openclaw/skills/<my_skill_name> --slug <my_skill_name> --name "<My Skill Name>" --version <version> --changelog "<changelog>"

2. Install (下载与搜索)

Search and install with optional version specification.

bash scripts/clawhub_helper.sh install <slug> [version]

Features (特性)

  • Auto-versioning: Ensures every publish has a version.
  • Verification: Searches for skills before attempting to install.
  • Structure: Enforces standard ClawHub formatting.
  • Strict Governance: 强制执行前缀命名、全局路径和规范的 Agent 绑定流程。

Comments

Loading comments...