ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Universal Release

v1.0.0

Universal release workflow. Auto-detects version files and changelogs. Supports Node.js, Python, Rust, Claude Plugin, and generic projects. Use when user say...

0· 167·0 current·0 all-time
bywh1ko@zoopools
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to automate releases, but the metadata declares no required binaries or credentials. The runtime instructions call git and the GitHub CLI (gh) and read/write repository files — these are necessary for the stated purpose but are not listed as requirements.
!
Instruction Scope
SKILL.md instructs the agent to run git commands, call 'gh pr view' and 'gh repo view', scan and modify changelog and version files, and insert content into files. It implicitly requires network/GitHub access and permission to write repository files, yet the instructions do not declare or constrain those actions, nor do they explain how PR numbers are resolved or how/when changes are committed/pushed.
Install Mechanism
This is an instruction-only skill with no install spec (lowest install risk). However, lacking an install section increases opacity because it relies on external binaries (git, gh) and local repository state that must already exist on the host.
!
Credentials
The skill requires access to repository files and to GitHub via the 'gh' CLI, which implies credentials (local gh auth or GITHUB_TOKEN) and network access. No environment variables, tokens, or credential requirements are declared, making the credential needs disproportionate to the published metadata.
Persistence & Privilege
The skill is not always: true and does not request persistent/global agent changes. It is user-invocable and can be invoked autonomously, which is the platform default and expected for a workflow skill.
What to consider before installing
This skill looks like a reasonable release helper but is missing important operational details. Before installing or running it: (1) confirm you have git and the GitHub CLI (gh) installed and authenticated — the skill will call them; (2) understand it will read and modify version and changelog files in your repo and may require committing/pushing changes or network access to GitHub; (3) verify what credentials/permissions the agent will use (local gh auth or a token) and avoid providing broad repo or org-level tokens unless you trust the skill; (4) run with the provided --dry-run option first and review changes locally before applying or pushing them. If the vendor/source can provide an updated SKILL.md that explicitly lists required binaries and credential guidance, re-evaluate after those corrections.

Like a lobster shell, security has layers — review code before you run it.

changelogvk973jnyqpe93n2a9ytc2m2ggs182xe1hgitvk973jnyqpe93n2a9ytc2m2ggs182xe1hlatestvk973jnyqpe93n2a9ytc2m2ggs182xe1hpublishvk973jnyqpe93n2a9ytc2m2ggs182xe1hreleasevk973jnyqpe93n2a9ytc2m2ggs182xe1hversionvk973jnyqpe93n2a9ytc2m2ggs182xe1h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments