ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Updater

v1.0.0

Updates a specific skill within a repository and triggers the automated publishing pipeline. Use when the user wants to release a new version of a single skill.

0· 388·1 current·1 all-time
byWells Wu@wells1137

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wells1137/wells1137-skill-updater.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Updater" (wells1137/wells1137-skill-updater) from ClawHub.
Skill page: https://clawhub.ai/wells1137/wells1137-skill-updater
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install wells1137-skill-updater

ClawHub CLI

Package manager switcher

npx clawhub@latest install wells1137-skill-updater
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, SKILL.md, and scripts/update.sh all align: the skill asks for a repo path, skill name, version and changelog, and runs the repository's release script. No unrelated capabilities, binaries, or environment variables are requested by the skill itself.
!
Instruction Scope
The runtime instructions (and update.sh) change directory into the provided REPO_PATH and execute scripts/release.sh with no validation or sandboxing. That release script is arbitrary code under the repository's control and may perform any action (push tags/commits, run network requests, read local files, exfiltrate secrets). The SKILL.md and update.sh do not limit or verify the release script's behavior or the repository path.
Install Mechanism
This is instruction-only with no install spec and no external downloads — low install-time risk because nothing is written to disk by the skill package itself.
!
Credentials
The skill declares no required environment variables, yet a real release/publish operation will commonly rely on credentials (e.g., GITHUB_TOKEN, repo deploy keys) or other secrets. The skill does not document or request these, and the release script executed may read any environment variables available in the agent's environment, which is a mismatch and increases risk.
Persistence & Privilege
always:false and no config paths are requested, so the skill does not request permanent inclusion or modify other skills. However model-invocation is enabled by default (agent may invoke autonomously); combined with the ability to run arbitrary repo scripts, that increases the potential blast radius if the agent is permitted to run this skill without explicit user confirmation.
What to consider before installing
This skill will run whatever scripts/release.sh exists in the repository path you provide — that script can do anything (including push code, read files, or send data to external servers). Before using the skill: 1) inspect the target repository's scripts/release.sh (and any scripts it calls) so you understand exactly what will run; 2) avoid pointing it at sensitive system or root paths; 3) run the release script manually first (or in an isolated CI environment) to confirm behavior; 4) ensure any tokens used (GITHUB_TOKEN, deploy keys) follow least privilege and are not broadly available to the agent; 5) if you don't trust the repo or cannot review the release script, do not run this skill. Additional information that would reduce concern: explicit documentation of required credentials and a safer execution mode (dry-run, sandbox, or validation of the release script) or code that restricts which repository paths are allowed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dgbf01ykavvs75btkwy5ywn826c2d
388downloads
0stars
1versions
Updated 14h ago
v1.0.0
MIT-0
Wells Wu@wells1137
latest
Download

Skill Updater

This skill automates the release process for a single skill within a repository, ensuring it's published to all relevant channels without affecting other skills.

When to Use

  • When you have modified a single skill and are ready to release a new version.
  • When you want to automate the process of updating the skill's version, creating a changelog commit, and publishing it to ClaWHub.

How It Works

This skill finds and executes a release script within the target repository. It assumes the repository has been set up with the skill-publisher pipeline.

Execution Steps

When this skill is activated, it will:

  1. Ask for Target Skill: It will ask the user for the name of the skill to update (e.g., image-gen).
  2. Ask for New Version: It will request the new version number (e.g., 2.1.0).
  3. Ask for Changelog: It will ask for a short, one-line description of the changes.
  4. Execute Release Script: It will locate the scripts/release.sh script in the repository and execute it with the provided arguments.

This triggers the publish.yml GitHub Actions workflow, which detects the new tag and publishes the updated skill to ClaWHub.

Example Interaction

User: "Help me update the image-gen skill."

Agent (using this skill): "What is the new version number?"

User: "2.1.0"

Agent: "And what's the main change in this version?"

User: "Added Stable Diffusion 3 support."

Agent: "Got it. Releasing image-gen v2.1.0..." Agent executes bash scripts/release.sh image-gen 2.1.0 "Add Stable Diffusion 3 support"

Comments

Loading comments...