← Back to Skills Marketplace
ClawdHub Publish Helper
by
cdmichaelb
· GitHub ↗
· v1.0.1
· MIT-0
107
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install clawhub-publish-helper
Description
Prepare and publish an OpenClaw skill to ClawHub. Handles PII/secret auditing, generalization, env var extraction, directory scaffolding, git init, and the c...
README (SKILL.md)
Publish Skill
Prepare and publish an OpenClaw skill to ClawHub. This skill codifies the audit → generalize → publish workflow.
When To Use
- Publishing a new skill to ClawHub
- Updating an existing published skill
- When the user says "publish this skill", "prepare for publishing", "make a publishable copy"
- NOT for installing skills from ClawHub (that's
npx clawhub@latest install)
Workflow
Step 1: Audit the Live Skill
Before creating any copy, audit the source skill for secrets and PII:
- Read every file in the skill directory recursively
- Check for these categories of sensitive content:
| Category | Examples | Action |
|---|---|---|
| Secrets | API keys, tokens, passwords, private keys | Must remove |
| Paths | Absolute paths (/home/username/..., /Users/...) |
Replace with env var or ~ relative |
| Discord IDs | Channel IDs, user IDs, guild IDs, message IDs | Remove or replace with env var |
| Timezones | Hardcoded IANA timezone strings | Replace with env var |
| Personal data | Real names, emails, phone numbers, medication names | Remove or generalize |
| Network info | IP addresses, internal URLs, port numbers | Remove or replace with placeholders |
| Custom identifiers | User-specific labels, internal project names | Generalize |
- Report findings to the user before proceeding — do not silently modify
Step 2: Create Publishable Copy
Create a separate directory (never modify the live skill):
$CLAWHUB_DEFAULT_DIR/\x3Cskill-name>-skill/
Default base: ~/projects/skills (override via CLAWHUB_DEFAULT_DIR env var).
Directory structure:
\x3Cskill-name>-skill/
├── SKILL.md # Manifest (generalized)
├── README.md # User-facing docs
├── .gitignore # Standard ignores
├── scripts/ # Script files (generalized)
├── references/ # Optional reference docs
└── ... # Any other skill-specific files
Step 3: Generalize Content
For each file in the skill:
SKILL.md frontmatter:
- Add
env:block declaring all extracted env vars with descriptions and required/optional - Remove any personal identifiers from
description
Scripts (Python, Shell, etc.):
- Replace hardcoded paths with
os.environ.get("VAR", fallback)/ env var reads - Replace hardcoded timezones with env var (UTC fallback)
- Remove
now()/utc_now()fallbacks that bypass source timestamps — raise errors instead - Remove personal data (medication names become empty lists with edit instructions, etc.)
- Remove dead code and unused imports
Documentation (Markdown):
- Remove Discord IDs, channel names, user IDs
- Replace personal examples with generic ones
- Keep timezone/ID references only as example values (e.g. "e.g. America/Los_Angeles")
- Remove internal URLs/IPs
Shell wrappers:
- Use relative path resolution:
SCRIPT="$(cd "$(dirname "$0")" && pwd)/tracker.py" - Remove hardcoded absolute paths
Step 4: Verify Clean State
Run a final grep across all files:
grep -rn "hardcoded_pattern1\|hardcoded_pattern2\|..." --include="*.py" --include="*.md" --include="*.sh" .
Verify:
- No secrets or tokens remain
- No absolute paths containing usernames
- No Discord/user IDs
- No personal data (real names, specific medication names, etc.)
- Timezone strings only in examples/comments, never as runtime defaults
- All config via env vars with sensible defaults
Step 5: Git Init and Commit
git init
git add -A
git commit -m "Initial publishable copy — no PII, no secrets"
Step 6: Publish (with user confirmation)
Always confirm with the user before publishing.
npx clawhub@latest publish --slug \x3Cskill-name> --version \x3Cversion> --name "\x3Cdisplay name>" /absolute/path/to/skill-dir
Gotchas:
- Use absolute paths, not
.— cwd may not propagate through exec/shell layers --slugis required — without it, the CLI picks up the directory name- Slug naming is competitive — every generic name (
publish-skill,skill-publisher, etc.) is likely taken. Pick something unique or namespaced (e.g.myname-publish-helper) - Rate limited — if you get slug collisions repeatedly, wait 50s between retries
Common version bumps:
- New skill:
1.0.0 - Bug fix: patch bump (e.g.
1.0.0→1.0.1) - New feature: minor bump (e.g.
1.0.0→1.1.0)
After publishing, report the slug, version, and install command to the user.
Common Patterns
Extracting env vars from hardcoded values
Before:
TIMEZONE = ZoneInfo("America/Los_Angeles")
WORKSPACE = "/home/user/.openclaw/workspace"
After:
TZ_STR = os.environ.get("MEDICATION_TIMEZONE", "UTC")
TIMEZONE = ZoneInfo(TZ_STR)
WORKSPACE = os.environ.get("WORKSPACE", os.path.expanduser("~/.openclaw/workspace"))
Replacing personal config with user-editable sections
Before:
MORNING_MEDS = ["RealMedA", "RealMedB"]
KNOWN_MEDS = ["RealMedA", "RealMedB", "RealMedC"]
After:
# Edit these lists to match your regimen
MORNING_MEDS: list[str] = [] # e.g. ["MedA", "MedB"]
KNOWN_MEDS: list[str] = [] # e.g. ["MedA", "MedB", "MedC"]
Removing timestamp fallbacks
Before:
dt_utc = datetime.fromisoformat(ts) if ts else datetime.now(timezone.utc)
After:
if not ts:
raise ValueError("timestamp_utc is required — source message timestamp must be provided")
dt_utc = datetime.fromisoformat(ts.replace("Z", "+00:00"))
Changelog
Add --changelog \x3Ctext> to the publish command for release notes. Example:
npx clawhub@latest publish --slug my-skill --version 1.1.0 --changelog "Added env var support, fixed timestamp handling" .
ClawHub CLI Reference
| Command | Purpose |
|---|---|
npx clawhub@latest login |
Authenticate (browser callback) |
npx clawhub@latest whoami |
Verify auth |
npx clawhub@latest publish --slug X --version Y . |
Publish from current dir |
npx clawhub@latest inspect \x3Cslug> |
View published metadata |
npx clawhub@latest search \x3Cquery> |
Search registry |
Publish must run from inside the skill directory (requires SKILL.md in cwd).
Required Files
SKILL.md— this filereferences/checklist.md— quick audit checklist
Notes
- Never modify the live skill — always create a separate copy
- The publishable copy should work for anyone who installs it with minimal config
- If a skill can't be fully generalized (e.g. deeply personal workflows), document what the user needs to configure
- ClawHub registry may not display
env:frontmatter — that's a registry display issue, not a skill issue
Usage Guidance
This skill appears to do what it says, but be cautious before running it: 1) It will read every file in the skill directory — run it only on a directory you trust or on a copy. 2) Ensure git, Node/npm (for npx), and standard shell tools (grep, sed/awk if you use them) are available — the metadata does not declare these. 3) Inspect the generated publishable copy before running the npx publish command — the SKILL.md asks for user confirmation before publishing, and you should verify there are no remaining secrets and that the slug/version are correct. 4) Because npx downloads the CLI at publish time, ensure you trust the npm package being invoked (clawhub). If you want extra safety, perform the steps manually following this checklist rather than letting the agent run them autonomously.
Capability Analysis
Type: OpenClaw Skill
Name: clawdhub-publish-helper
Version: 1.0.1
The skill bundle is a utility designed to help users prepare and publish OpenClaw skills to the ClawHub registry. It includes detailed instructions for the AI agent to audit files for PII and secrets (e.g., API keys, Discord IDs, absolute paths) and to generalize the code using environment variables before publishing. The workflow explicitly requires user confirmation before the final 'npx clawhub@latest publish' command is executed, and it emphasizes creating a separate copy to avoid modifying the original source code. No malicious patterns, obfuscation, or unauthorized data exfiltration were found.
Capability Assessment
Purpose & Capability
The name/description match the SKILL.md workflow (audit → generalize → git → publish). However the manifest declares no required binaries or env vars even though the instructions assume standard CLI tools (git, npx/Node, grep/grep-compatible shell utilities). This is likely an oversight but worth noting.
Instruction Scope
Instructions explicitly require reading every file in the skill directory, creating a separate copy, removing secrets/PII, running grep-based verification, and asking the user before publishing. Reading all files is necessary for an audit tool, but it also means the agent will see any secrets in the directory — the SKILL.md instructs reporting findings to the user rather than sending them externally, which is appropriate.
Install Mechanism
This is instruction-only (no install spec). The publish step uses `npx clawhub@latest publish`, which will fetch code from the npm registry at runtime — expected for invoking the official CLI but it does imply a network download/execution step that is not declared in an install spec. No arbitrary download URLs or extract operations are present in the skill itself.
Credentials
The skill declares no required environment variables or credentials. It suggests (as part of its process) creating and declaring env vars for the published skill, and references an optional CLAWHUB_DEFAULT_DIR env var for the output directory. No unrelated credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable. Model invocation is allowed (default), which is normal for skills. There is no request for permanent system changes beyond creating a publishable copy and initializing a git repository in that copy.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawhub-publish-helper - After installation, invoke the skill by name or use
/clawhub-publish-helper - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Added slug naming guidance, absolute path requirement, rate limit notes
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is ClawdHub Publish Helper?
Prepare and publish an OpenClaw skill to ClawHub. Handles PII/secret auditing, generalization, env var extraction, directory scaffolding, git init, and the c... It is an AI Agent Skill for Claude Code / OpenClaw, with 107 downloads so far.
How do I install ClawdHub Publish Helper?
Run "/install clawhub-publish-helper" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ClawdHub Publish Helper free?
Yes, ClawdHub Publish Helper is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ClawdHub Publish Helper support?
ClawdHub Publish Helper is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ClawdHub Publish Helper?
It is built and maintained by cdmichaelb (@cdmichaelb); the current version is v1.0.1.
More Skills