ClawHub Skill Publisher
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawhub-skill-publisher Version: 1.0.0 The skill bundle is designed for publishing and syncing OpenClaw skills, and its code and documentation demonstrate a strong focus on security and safety. It includes preflight checks to prevent accidental secret leaks and enforce content policies (e.g., blocking CJK text by default), uses secure methods for handling API tokens (reading from env/file, not printing), and employs robust shell scripting practices like argument arrays to mitigate injection risks. There are no indications of prompt injection attempts in the markdown files, data exfiltration to unauthorized endpoints, persistence mechanisms, or other malicious behaviors. The functionality is clearly aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken root path or unreviewed local skill could be uploaded or version-bumped in bulk.
The batch workflow syncs every skill under the chosen root and can bump versions after authentication. The script does not show the publish script's secret/CJK preflight checks or a confirmation step before this bulk action.
ROOT="${HOME}/.openclaw/workspace/skills" ... cmd=(clawhub sync --root "$ROOT" --all --bump "$BUMP" --tags "$TAGS") ... "${cmd[@]}"Run `--dry-run` first, restrict `--root` to a reviewed directory, and add the same preflight checks or an explicit confirmation gate to the batch sync path.
A user expecting a no-side-effect preview may still authenticate to ClawHub and create or reuse a privileged publishing session.
`ensure_authenticated` runs before the dry-run branch, and that function can execute `clawhub login --token "$CLAWHUB_TOKEN" --no-browser`. This means a dry run can still use the account token/session even though the docs describe dry-run as only printing or previewing.
ensure_authenticated cmd=(clawhub publish "$SKILL_PATH" ...) if [[ "$DRY_RUN" == "true" ]]; then printf '[dry-run] '
Move dry-run handling before authentication, or clearly document that dry-run still logs in. Use a scoped, rotatable token and only point `--registry` at trusted ClawHub domains.
Users may rely on advertised safeguards and accidentally sync skills containing secrets or disallowed content.
The safety wording broadly suggests publishing is protected by preflight checks, but the supplied batch sync script directly runs `clawhub sync --all` and does not implement those shown checks. This can overstate the protection users get during bulk sync.
Runs preflight checks before publish ... Default policy blocks common secret patterns before publishing ... Batch sync local skills
Clarify that preflight checks apply only to the single-skill publish path unless batch sync is updated to run the same checks.
Users may not see the credential and CLI requirements until they read the skill instructions or run the scripts.
The metadata does not declare the `clawhub` and `python3` runtime dependencies or the ClawHub token flow that the scripts use. SKILL.md discloses the main requirements, but automated install/capability review may miss them.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none ... No install spec — this is an instruction-only skill.
Declare required binaries and the ClawHub token/session requirement in metadata so users and automated reviewers can see them before installation.