Skill Publisher Claw Skill
v0.1.0Prepare and audit a Claw skill for public release by validating structure, security, portability, documentation, testing, git hygiene, and metadata.
⭐ 1· 1.9k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (skill publisher) matches the included files and behavior: audit.sh, fix.sh, scaffold.sh, publish.sh, score.sh, etc. All scripts perform repository-quality checks, scaffolding, auto-fixes, changelog generation, and GitHub publishing — capabilities that belong in a 'skill publisher' toolkit.
Instruction Scope
SKILL.md provides a checklist and guidance; the shipped scripts implement scanning and remediation. The scripts read and modify files in the target skill directory, inspect git history (git log -p), edit files (sed), create commits, and (optionally) create/push to GitHub via the GitHub CLI. These behaviors are expected for a publish workflow, but they do mean the skill will inspect and mutate repository contents when run.
Install Mechanism
No install spec — the skill is instruction + scripts only. That is the lowest-risk delivery model for this purpose. The scripts rely on standard Unix tools (grep, sed, git, gh) but do not download or execute code from remote URLs as part of an install step.
Credentials
The package declares no required environment variables or credentials, which is consistent. Some scripts expect Git and optionally the GitHub CLI (gh) and a configured git user; publish.sh will attempt to use gh auth to create/push repos. Although no secrets are requested by the skill explicitly, if the user has gh authenticated (or git remotes configured) these scripts will act using that existing authorization.
Persistence & Privilege
always:false (normal). The skill does not request persistent system privileges, but several scripts will modify local files, initialize/git-commit a repository, and push to remote(s) when run. If the agent is allowed to invoke the skill autonomously and has access to gh/git credentials in the environment, it could perform publish/push operations without further human review — this is expected for a publishing tool but worth being conscious of.
Assessment
This toolkit appears coherent for preparing and publishing skills, but it performs file and git operations — review the scripts before running. Recommended precautions:
- Inspect publish.sh, fix.sh, and scaffold.sh to understand exactly what will be changed/committed.
- Run audit.sh and score.sh in a disposable copy of your repository first (do not run publish.sh on a repo you can't restore).
- If you don't want automatic pushes, avoid running publish.sh or run it with caution; remove/configure the 'gh' CLI auth if you don't want remote creation/push.
- Backup or ensure a clean git branch before letting fix.sh apply automated edits (fix.sh does in-place sed replacements and can commit changes via publish.sh).
- If you allow an autonomous agent to call this skill, restrict it or ensure GitHub CLI is not authenticated in that runtime environment to prevent unintended pushes.
Overall: coherent and expected behavior for a publisher tool, but treat it like any script that modifies your repo — review and run in a controlled environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97a6vre0dq27kj86cca9mdgs980cgpc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.