ClawHub

ClawHub Skill Guide — Scanner Compliance

v1.0.0

Create, structure, and publish OpenClaw skills to ClawHub that pass the security scanner with clean ratings. Covers frontmatter schema, env var declarations,...

0· 488·0 current·1 all-time
by@tdavis009
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a documentation/guide package (no code, no install spec, no required env vars). Everything it asks for (none) and everything it documents (frontmatter, env declaration patterns, publish workflow) aligns with a publisher/authoring guide.
Instruction Scope
SKILL.md and referenced docs stay on-topic: they instruct how to structure frontmatter, declare env vars, document scripts, and avoid automatic config changes. The content explicitly recommends manual review and isolation patterns and does not instruct the agent to read unrelated host files, exfiltrate data, or auto-apply gateway config.
Install Mechanism
There is no install specification and no bundled binaries or downloads. As an instruction-only skill, nothing is written to disk or executed by default, which is proportionate to its purpose.
Credentials
The skill declares no required environment variables or credentials. It contains examples showing how to declare env vars for other skills, which is appropriate for a guide and does not request unrelated secrets.
Persistence & Privilege
The skill does not request always:true or any persistent background privileges. It explicitly recommends running multi-user skills in a separate, restricted agent and warns that config.patch can replace arrays (helpful safety guidance). Autonomous invocation is enabled by default but there are no other red flags that make that risky here.
Assessment
This guide is coherent and low-risk: it only documents best practices and includes explicit safety recommendations (inspect scripts, declare env vars in frontmatter, present config as templates for manual review). Before using templates or example scripts: 1) never paste real credentials into example files; 2) inspect any provided scripts before running them locally; 3) be careful when using config.patch — the guide warns it replaces whole arrays, so manually merge to avoid accidental removal of existing agents/bindings; and 4) follow the guide's recommendation to run multi-user skills under a restricted/dedicated agent. If you plan to publish real skills based on these templates, ensure frontmatter env declarations accurately reflect any credentials the skill actually uses.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8kgasfst3gnhnf2tjg5xxs81e89h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments