ClawHub

Hermes Skill Publishing Guide

v1.1.1

Guide to publishing and sharing Hermes skills through ClawHub, including safe login practices, release hygiene, and security scan preparation.

0· 84·0 current·0 all-time
byXuXu@xuxuclassmate

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xuxuclassmate/skill-publishing.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Hermes Skill Publishing Guide" (xuxuclassmate/skill-publishing) from ClawHub.
Skill page: https://clawhub.ai/xuxuclassmate/skill-publishing
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-publishing

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-publishing
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (publishing/share guide for ClawHub) aligns with the runtime instructions: login, publish, inspect, delete, merge, and a security checklist. There are no unrelated binaries, services, or unexplained permissions requested.
Instruction Scope
SKILL.md contains only publishing-related guidance and example clawhub commands and explicitly advises safe handling of tokens and removal of secrets. It does include destructive actions (publish/delete/merge) which are expected for a publishing guide, but it does not instruct the agent to read unrelated files, exfiltrate data, or contact unexpected endpoints.
Install Mechanism
No install spec or code files are present; this instruction-only format is low-risk because nothing will be written to disk by an installer.
Credentials
The document demonstrates reading a CLAWHUB_TOKEN from stdin and unsetting it, but the registry metadata lists no required env vars. This is a minor mismatch but reasonable: the token is optional/interactive in examples. Users should treat CLAWHUB_TOKEN as a sensitive secret and not expose it in history or logs.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false). It is user-invocable and the instructions show commands that can modify or delete skills — appropriate for a publishing guide. Note: because agent invocation is allowed by default, avoid letting the agent run these commands autonomously unless you trust it to act only under explicit user direction.
Assessment
This guide appears coherent and safe: it gives expected clawhub commands and sensible security advice. Before following examples, double-check slugs/owner names to avoid accidental delete/merge, provide CLAWHUB_TOKEN interactively (as shown) rather than embedding it, and review any command before running it. Since the file is instruction-only, no code will be installed, but be cautious about allowing autonomous agent execution of publish/delete commands — run them manually or confirm prompts to prevent accidental changes.

Like a lobster shell, security has layers — review code before you run it.

clawhubvk970pdfbnnrmadjjea4te67zd585bhcecommunityvk970pdfbnnrmadjjea4te67zd585bhcedevopsvk970pdfbnnrmadjjea4te67zd585bhcegithubvk970pdfbnnrmadjjea4te67zd585bhcehermesvk970pdfbnnrmadjjea4te67zd585bhcelatestvk970pdfbnnrmadjjea4te67zd585bhcepublishvk970pdfbnnrmadjjea4te67zd585bhceskillsvk970pdfbnnrmadjjea4te67zd585bhce
84downloads
0stars
3versions
Updated 6d ago
v1.1.1
MIT-0
XuXu@xuxuclassmate
clawhubcommunitydevopsgithubhermeslatestpublishskills
Download

Hermes Skill Publishing Guide

When to use

  • You are preparing a skill for ClawHub publication.
  • You need to update a published skill version.
  • You want a short checklist for passing the security scan.

Safe login

Prefer reading the token privately instead of pasting it directly into a shared command line history.

read -s CLAWHUB_TOKEN
clawhub login --token "$CLAWHUB_TOKEN" --no-browser
unset CLAWHUB_TOKEN

Publish a skill

clawhub publish /path/to/skill-folder \
  --slug "skill-slug" \
  --name "Display Name" \
  --version "1.0.0" \
  --changelog "What changed in this release" \
  --tags "latest,tag1,tag2"

Useful commands

  • clawhub whoami
  • clawhub inspect <slug>
  • clawhub search <query>
  • clawhub delete <slug>
  • clawhub skill merge <source-slug> <target-slug>

Security scan checklist

Before publishing:

  • Remove secrets, tokens, and internal URLs.
  • Remove fake commands or instructions for tools that are not actually included.
  • Use official download sources only.
  • Avoid hardcoded system paths and unsafe command examples.
  • Keep examples focused on the skill's real behavior.
  • Rewrite or remove anything that could look like exfiltration, persistence, or privilege escalation.

Release hygiene

  • Bump the version every time you republish.
  • Keep the changelog factual and short.
  • Use English titles and descriptions if the target audience is broad.
  • Merge or delete duplicate skills so only the canonical version remains active.

Comments

Loading comments...