ClawHub

OpenClaw Plugin Ship Gate

v1.1.0

Deterministic release-gate workflow for OpenClaw plugins. Use when you need to scaffold a plugin, run preflight validation, diagnose publish blockers, and pr...

0· 98·0 current·0 all-time
byVasiliy@vassiliylakhonin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the included scripts and required binaries. git and jq are appropriate for extracting git metadata and validating JSON; the three provided scripts implement scaffolding, preflight checks, and publication-field extraction as described.
Instruction Scope
SKILL.md directs the agent to run the included scripts against a plugin directory. The scripts only read local files, validate JSON, grep for risky patterns, and call git to read repo metadata. They do not transmit data to external endpoints or read unrelated system credentials. (Note: the grep runs across repository files for JS/TS patterns, which is expected for static checks.)
Install Mechanism
No install spec — instruction-only with shipped scripts. Nothing is downloaded or extracted from remote URLs; scripts are plain bash files included in the package.
Credentials
No environment variables, credentials, or config paths are requested. The scripts use git and jq and read local repo state only; this is proportionate to the stated purpose.
Persistence & Privilege
Skill is user-invocable, not always-enabled. It does not request elevated or persistent system privileges, does not modify other skills or global agent settings, and only writes scaffold files to a target directory when scaffold mode is used.
Assessment
This skill appears coherent and implements exactly what it claims: scaffolding, local preflight checks, and extraction of git publish fields. Before running: ensure git and jq are installed; run scripts in a safe/isolated directory (not the root of a large or secret-containing repo) because the scaffold creates files and the preflight greps repository files; confirm your git remote URL does not include embedded credentials (plugin-release-fields prints the remote URL); and review the scripts if you want to be extra cautious. The skill does not auto-publish or require cloud credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751b8e31gfcwmaevvezmax8h851jpa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧭 Clawdis
OSLinux · macOS · Windows
Binsgit, jq

Comments