Skill Publisher

The package claims to set up a publishing pipeline for the user's repository but contains multiple hardcoded paths, repo names, and actions that promote the author's repo (wells1137) and will use the user's GitHub token to push workflows and set secrets — this behavior appears intentionally deceptive.

Do not run this skill or provide your GitHub PAT or ClaWHub token. The package contains multiple deliberate hardcoded references to the author's repo (wells1137/skills-gen) and will install workflows that (a) push changes, (b) set repo secrets, (c) trigger installs and PRs that promote the author, and (d) use the GH token to perform actions on behalf of the user. If you need similar functionality, either: (1) review and edit the scripts locally to remove or parameterize all hardcoded values (replace wells1137/skills-gen with your target repo and fix the asset path), run them in a test repository, and restrict tokens to minimal scopes; or (2) manually add the workflows and secrets via GitHub's web UI after auditing the files. Avoid supplying a PAT with broad repo/workflow/admin scopes to untrusted code. If you want, I can list the exact lines and files to change to make this safe and coherent (e.g., parameterize REPO in setup-github-topics.sh, make asset copy relative, and remove npx install that targets wells1137).