ClawHub

Publish Guard

v1.0.2

Review a repo, README, SKILL.md, release notes, and social copy before publishing. Catch leak risks, weak public-facing copy, broken first-run paths, and int...

0· 71·0 current·0 all-time
by@zack-dev-cm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim a public-surface audit and the bundle contains four scripts (leak scan, surface checks, copy scoring, report renderer) that directly implement that function. The use of git ls-files and reading README/SKILL.md/openai.yaml is expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to run the included Python scripts against a repo. The scripts enumerate and read tracked/text files (and fall back to a recursive scan), which is necessary to find leak-like strings and audience-fit issues. Be aware the scripts will read any text files in the repo (and thus can surface secrets found in the repo); they do not send data to external endpoints.
Install Mechanism
No install spec; the skill is instruction + scripts requiring a local python3/python binary. No external downloads or package installs are performed by the skill itself.
Credentials
The skill requests no environment variables or credentials. It scans for credential-like strings (e.g., OpenAI keys, GH tokens) but does not require or access any external secrets or APIs.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent settings. It runs as ephemeral scripts reading repository files and writing JSON/markdown outputs to disk.
Assessment
This skill appears coherent and implements a local pre-release audit. Before installing or running it: (1) review the included scripts yourself (they are short, pure Python) to confirm behavior; (2) run scans locally or on a non-shared clone — the tools will read and report secret-shaped strings from your repo and you may not want to upload those results; (3) do not drop sensitive repos into shared/remote execution environments for scanning; (4) validate any findings before sharing output externally (reports may contain snippets that look like credentials). If you need networked/external scanning or automated reporting, consider adding explicit safeguards (sanitize outputs, avoid uploading raw snippets).

Like a lobster shell, security has layers — review code before you run it.

clawhubvk97dr382009rtxmvq9bkzh1zr984jcjddocsvk97b8s7bvktd8e1jybr38v0xyx84wbaxgithubvk97dr382009rtxmvq9bkzh1zr984jcjdlatestvk97b8s7bvktd8e1jybr38v0xyx84wbaxlintingvk97dr382009rtxmvq9bkzh1zr984jcjdopenclawvk97dr382009rtxmvq9bkzh1zr984jcjdreadmevk97dr382009rtxmvq9bkzh1zr984jcjdreleasevk97b8s7bvktd8e1jybr38v0xyx84wbaxrelease-engineeringvk97dr382009rtxmvq9bkzh1zr984jcjdsafetyvk97b8s7bvktd8e1jybr38v0xyx84wbaxsecurityvk97dr382009rtxmvq9bkzh1zr984jcjd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binpython3, python

Comments