ClawHub

zenn

v0.0.1

Publish Zenn articles by managing Markdown in a GitHub-connected repository (push/PR -> merge) and previewing with Zenn CLI.

0· 344·0 current·0 all-time
by@tachi-koma-x
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description (publish Zenn via a GitHub repo) matches the instructions. However the registry metadata claims no required binaries or env vars while the runtime instructions explicitly call out git, npm/npx, and pushing to a GitHub remote. Declaring none of those requirements in metadata is inconsistent.
Instruction Scope
SKILL.md stays on-topic: it instructs creating articles in articles/, previewing with zenn-cli, and using Git/PR workflows. It does not ask the agent to read unrelated system files or exfiltrate data. It does, however, instruct running npm install and npx (which execute code) and performing git push/PR operations that will use repository credentials.
Install Mechanism
This is an instruction-only skill (no install spec). The workflow recommends installing zenn-cli via npm in the repo, which is a normal approach. Note: npm install can run package scripts and retrieve packages from the public registry—this is expected but carries the usual npm supply-chain considerations.
!
Credentials
The skill declares no required env vars or binaries, but the instructions implicitly require: git, node/npm/npx on PATH, and authentication to push to GitHub (SSH keys or a token). The omission of these dependencies/credentials from metadata is a proportionality mismatch and an information gap the user should be aware of.
Persistence & Privilege
always is false and there is no install-time modification of other skills or global agent settings. The skill does not request persistent elevated privileges beyond normal repo operations.
What to consider before installing
This skill's instructions are coherent for publishing Zenn articles, but the registry metadata is incomplete: SKILL.md expects git, node/npm/npx and the ability to push to a GitHub remote (SSH key or token). Before installing/using: 1) Confirm you have node/npm and git available and understand that npm install will fetch and run third-party package code (audit package versions and consider using a lockfile). 2) Be aware that git push/PR requires GitHub credentials—only run pushes from repos you trust and where credentials are managed securely. 3) Verify the origin of this skill (source/homepage unknown) and prefer skills with a known upstream or source code. 4) If you need stronger assurance, run the workflow in an isolated environment or inspect the zenn-cli package contents first. If the maintainer can update metadata to list required binaries and note the implicit need for repo credentials, the inconsistency would be resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97737494c3j349r5saq8k2dr981pkr8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments