ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Publisher

v1.0.6

Make your skills easy to understand and impossible to ignore

1· 2.4k·3 current·3 all-time
by@tunaissacoding
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (generate README + publish) match the script and SKILL.md: the tool parses SKILL.md and VERSION, generates one-liners, updates SKILL.md frontmatter, initializes git, creates/pushes a GitHub repo with `gh`, and publishes with `clawdhub`. Required CLIs (gh, clawdhub, jq, git) are appropriate for these actions.
Instruction Scope
Runtime instructions and the script stay within the stated scope. The script reads SKILL.md and VERSION, may update SKILL.md description, may prompt to overwrite or require README.md, initializes a git repo if missing, creates/pushes a GitHub repo via `gh`, and runs `clawdhub publish`. These file writes, commits, and remote publishes are expected behavior for a publishing tool; users should be aware it will modify files and push to remotes.
Install Mechanism
No install spec is included; the package is instruction + shell script only. Nothing is downloaded from external URLs or extracted. This low-risk approach is proportionate to the skill's purpose.
Credentials
The skill requests no environment variables and does not embed credential handling. It relies on existing `gh` and `clawdhub` authentication (normal for tools that create repos and publish). There are no unrelated secrets or external credential requests in the files.
Persistence & Privilege
The skill does not request permanent/always-on presence and will not modify other skills or global agent settings. It performs user-triggered actions (file edits, git operations, remote publish) consistent with its purpose.
Assessment
This tool appears internally consistent and does what it claims, but before running: (1) ensure you have authenticated `gh` and `clawdhub` (it will use your accounts to create repos and publish); (2) be aware it may update SKILL.md frontmatter, overwrite README.md, initialize a git repo, commit, and push — back up files if you want to review changes first; (3) the script prompts before destructive actions, but double-check the chosen one-liner and generated README content before confirming publish; (4) if you lack GitHub/ClawdHub auth, `gh`/`clawdhub` will control what happens (the script will fail rather than exfiltrate secrets).

Like a lobster shell, security has layers — review code before you run it.

latestvk977bt96dyf9tkxfwazkcgkv5n7zr87r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments