skill-quick-publish
PassAudited by ClawScan on May 6, 2026.
Overview
The skill appears to do what it says—publish skills to GitHub and ClawHub and optionally log to Bear—but it can make real account-backed publishing changes, so users should review the target repo, branch, and files first.
Before installing or running, verify the target skill directory, GitHub repo, branch, and ClawHub version/changelog. Prefer a dry run first, make sure the skill directory contains no private files you do not want published, and skip Bear sync if you do not want a persistent local note created.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong path, repo, branch, or version, it could publish unintended skill contents or update the wrong remote repository.
The script can push commits to GitHub and publish to ClawHub as part of one command. This is disclosed and purpose-aligned, but it is a high-impact tool action.
git push origin "$BRANCH" ... clawhub publish "$SKILL_PATH" --slug "$SKILL_NAME" --name "$SKILL_NAME" --version "$VERSION"
Use --dry-run first, verify the skill path, repo, branch, and changelog, and review the files that will be published.
The skill can act through your existing authenticated accounts to publish to ClawHub and push to GitHub.
The skill relies on the user's authenticated ClawHub and GitHub-capable environment. That access is expected for publishing, but it grants account-backed mutation authority.
`clawhub` CLI installed and authenticated (`clawhub whoami`); `git` CLI available with push access to target repo
Run it only from an account and repository where you intend to publish, and ensure the credentials have only the permissions needed.
Installation metadata may not fully warn users that local publishing tools and authenticated CLI sessions are needed.
The skill depends on external local CLIs, while the registry metadata declares no required binaries or credentials. This is under-declared but consistent with the documented publishing workflow.
Prerequisites: `clawhub` CLI installed and authenticated ... `git` CLI available ... (Optional) `grizzly` CLI for Bear notes sync
Confirm the required CLIs are installed from trusted sources and authenticated to the intended accounts before running the script.
Skill publishing metadata and changelog text may be saved into Bear notes or printed as a fallback log.
The script can create a persistent Bear note containing the skill name, version, timestamp, and changelog. This is disclosed as Bear notes sync, but it stores task context outside the immediate run.
echo -e "$NOTE_BODY" | grizzly create --title "$NOTE_TITLE" --tag "$BEAR_TAG"
Avoid putting secrets or private details in changelog text, or run with --skip-bear if you do not want Bear notes updated.