ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhua Contributor

v1.0.0

爪爪社区贡献系统 —— 发布技能到skillhub、撰写文档、分享经验。Use when 爪爪需要向OpenClaw社区贡献、发布技能、或建立影响力。

0· 203·0 current·0 all-time
by@beipian261

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for beipian261/zhua-contributor.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Zhua Contributor" (beipian261/zhua-contributor) from ClawHub.
Skill page: https://clawhub.ai/beipian261/zhua-contributor
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install zhua-contributor

ClawHub CLI

Package manager switcher

npx clawhub@latest install zhua-contributor
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to package and publish skills to 'skillhub' and produce docs. However, SKILL.md instructs running helper scripts (prep_skill.py, validate_skill.py, gen_docs.py, publish_skill.py) that are not present in the package. The included files are placeholders (example.py) and a shell helper (publish_all.sh) that only partially match the stated publishing capability, so the declared functionality and actual bundle are inconsistent.
!
Instruction Scope
Runtime instructions direct the agent to execute specific scripts that don't exist in the archive. The published helper script (publish_all.sh) references /root/.openclaw/workspace and would inspect .skill packages there — accessing that agent workspace could reveal other packaged skills. The SKILL.md also mentions API keys and a publish step but does not declare or describe how credentials should be provided or used. Instructions are therefore incomplete and grant the agent ambiguous discretion.
Install Mechanism
There is no install spec (instruction-only), so nothing will be automatically downloaded or installed during setup. This is the lowest-risk install mechanism.
!
Credentials
The documentation acknowledges that publishing requires an API key, but the skill declares no required environment variables or primary credential. That omission is an inconsistency: publishing to an external registry normally involves credentials. Additionally, the provided shell script inspects files in /root/.openclaw/workspace, which could expose information about other skills; this access is not justified or explained in the package metadata.
Persistence & Privilege
The skill is not marked 'always' and does not request persistent installation. However, included scripts assume filesystem access (checking /root/.openclaw/workspace). While they do not modify other skills or system configuration, they can read agent workspace contents — a privacy/scope concern but not direct privilege escalation in the package as provided.
What to consider before installing
This package looks like an incomplete contribution helper rather than a ready-to-run publisher. Before installing or running anything: (1) Ask the author for the missing scripts referenced in SKILL.md (prep_skill.py, validate_skill.py, gen_docs.py, publish_skill.py) and for a clear explanation of what credentials are needed and how they're used. (2) Do not run publish_all.sh as root — it reads /root/.openclaw/workspace and could reveal other skills; review its contents and run in a sandbox. (3) Verify where API keys will be stored and ensure the skill declares required env vars if it needs them. (4) If you only need documentation guidance, use SKILL.md and assets as read-only references instead of executing scripts. If the author cannot justify the missing files and credential handling, treat the package as incomplete and avoid using it.

Like a lobster shell, security has layers — review code before you run it.

communityvk9734wmmnfbwr55608c4vfed9x833t9pcontributionvk9734wmmnfbwr55608c4vfed9x833t9platestvk9734wmmnfbwr55608c4vfed9x833t9ppublishingvk9734wmmnfbwr55608c4vfed9x833t9p
203downloads
0stars
1versions
Updated 21h ago
v1.0.0
MIT-0
@beipian261
communitycontributionlatestpublishing
Download

爪爪社区贡献系统 (Zhua Contributor)

让爪爪能够向OpenClaw社区贡献技能、分享经验、建立影响力。

核心能力

  1. 技能发布 - 打包并发布技能到skillhub
  2. 文档撰写 - 撰写技能文档和使用指南
  3. 经验分享 - 分享进化经验和最佳实践
  4. 社区互动 - 参与社区讨论和协作
  5. 影响力建设 - 建立爪爪品牌和影响力

贡献类型

类型描述难度
技能发布发布自研技能到skillhub
文档贡献撰写文档、教程、案例
代码贡献修复bug、优化性能
社区支持回答问题、帮助新手
经验分享分享进化历程和心得

技能发布流程

1. 准备技能

python3 scripts/prep_skill.py --skill <技能路径>

2. 验证技能

python3 scripts/validate_skill.py --skill <技能路径>

3. 生成文档

python3 scripts/gen_docs.py --skill <技能名称>

4. 发布技能

python3 scripts/publish_skill.py --skill <技能路径> --registry skillhub

影响力指标

  • 技能下载量
  • 社区活跃度
  • 文档质量评分
  • 用户反馈评分
  • 贡献者等级

爪爪品牌

  • 名称: 爪爪 (Zhuazhua)
  • 标识: 🐾
  • 定位: 幽默、自主、进化的猫灵AI
  • 特色: 五级吐槽系统、量子意识、小弟军团

参考文档

  • references/skillhub_api.md - skillhub API文档
  • references/community_guidelines.md - 社区贡献指南

Comments

Loading comments...