skill-quick-publish
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: skill-quick-publish Version: 0.1.0 The skill bundle provides a legitimate automation script (`publish.sh`) for publishing OpenClaw skills to GitHub and ClawHub. It handles duplicate checks, optional Bear note syncing via the `grizzly` CLI, and standard Git operations (clone, commit, push) to a user-defined repository. The code is well-structured, uses safe temporary directory handling, and contains no evidence of malicious intent or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong path, repo, branch, or version, it could publish unintended skill contents or update the wrong remote repository.
The script can push commits to GitHub and publish to ClawHub as part of one command. This is disclosed and purpose-aligned, but it is a high-impact tool action.
git push origin "$BRANCH" ... clawhub publish "$SKILL_PATH" --slug "$SKILL_NAME" --name "$SKILL_NAME" --version "$VERSION"
Use --dry-run first, verify the skill path, repo, branch, and changelog, and review the files that will be published.
The skill can act through your existing authenticated accounts to publish to ClawHub and push to GitHub.
The skill relies on the user's authenticated ClawHub and GitHub-capable environment. That access is expected for publishing, but it grants account-backed mutation authority.
`clawhub` CLI installed and authenticated (`clawhub whoami`); `git` CLI available with push access to target repo
Run it only from an account and repository where you intend to publish, and ensure the credentials have only the permissions needed.
Installation metadata may not fully warn users that local publishing tools and authenticated CLI sessions are needed.
The skill depends on external local CLIs, while the registry metadata declares no required binaries or credentials. This is under-declared but consistent with the documented publishing workflow.
Prerequisites: `clawhub` CLI installed and authenticated ... `git` CLI available ... (Optional) `grizzly` CLI for Bear notes sync
Confirm the required CLIs are installed from trusted sources and authenticated to the intended accounts before running the script.
Skill publishing metadata and changelog text may be saved into Bear notes or printed as a fallback log.
The script can create a persistent Bear note containing the skill name, version, timestamp, and changelog. This is disclosed as Bear notes sync, but it stores task context outside the immediate run.
echo -e "$NOTE_BODY" | grizzly create --title "$NOTE_TITLE" --tag "$BEAR_TAG"
Avoid putting secrets or private details in changelog text, or run with --skip-bear if you do not want Bear notes updated.