TOSR Publish Then Update Test
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a leftover test skill that can direct an agent to create, update, and delete real ClawHub entries, so it should only be used in a controlled test account.
Do not install or invoke this unless you intentionally want to run ClawHub lifecycle tests. Use a dedicated test account and test slug, confirm every publish/update/delete action, and verify the skill is cleaned up afterward.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with valid ClawHub authority, the agent could create, update, or delete registry content rather than only inspect information.
This documents real state-changing API operations, including create, update, and delete, without artifact-level approval or containment guidance.
This skill validates the following operations against the real clawhub API: ... Publish — Creates a new skill via POST /api/v1/skills ... Update — Publishes a new version ... Delete — Removes the skill via DELETE /api/v1/skills/{slug}Only run this in an isolated test environment with a dedicated test account/token, and require explicit user confirmation before any publish, update, or delete action.
A user or agent might rely on ambient ClawHub credentials or an existing session for test mutations without a clearly declared permission scope.
The artifact set declares no credential boundary, while the SKILL.md-described real API publish/update/delete operations would require delegated ClawHub account privileges.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare the required credential and scope, use a dedicated low-privilege test identity, and document exactly which account and slug may be modified.
Failed cleanup could leave test skills or versions visible in the registry after the intended test run.
The skill acknowledges that cleanup can fail and leave artifacts in the shared ClawHub registry.
This skill is ephemeral and will be automatically deleted after the test completes. If you see this skill listed on clawhub, it means a test run failed to clean up properly.
Verify cleanup manually after use and prefer isolated test namespaces or accounts so failed cleanup does not affect normal registry content.