← Back to Skills Marketplace

Skill Publisher — ClawHub 一键发布器

Name: Skill Publisher — ClawHub 一键发布器
Author: antonia-sz

by antonia huang · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

339

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install clawhub-publish-skill

Description

将本地 skill 目录发布到 clawhub.com 的自动化发布助手。当用户说"发布这个 skill 到 clawhub"、"把 XX skill 上传到 clawhub"、 "clawhub publish"、"发布到 clawhub" 等时触发。自动处理：token 验证、CLI bug patch、...

README (SKILL.md)

ClawHub Publisher — Skill 自动发布器

把本地 skill 目录一键发布到 clawhub.com，自动处理所有已知坑。

需要用户提供

参数	说明	示例
`skill 目录路径`	本地 skill 文件夹（必须包含 SKILL.md）	`/root/.openclaw/workspace/skills/SKILL-xxx`
`clawhub token`	格式 `clh_xxx`，clawhub.com → Profile → API Keys 获取	`clh_7XoVic...`
`slug`	URL 名称，全小写+连字符	`my-skill-name`
`displayName`	展示名称	`My Skill — 一句话描述`
`tags`	逗号分隔（可选）	`productivity,writing`

如果缺少任何必填项，只问缺少的那个，不要重复已知信息。

执行流程

Step 1：环境检查

# 确认 clawhub CLI 已安装
which clawhub || npm install -g clawhub
clawhub --version

# 确认 skill 目录存在且包含 SKILL.md
ls {skill_dir}/SKILL.md

Step 2：Patch CLI（如需要）

clawhub CLI 存在一个 bug：publish 时 payload 缺少 acceptLicenseTerms: true，服务端会返回 400。

检查并修复：

PUBLISH_JS=$(find /usr/local/lib /usr/lib -name "publish.js" -path "*/clawhub/*" 2>/dev/null | head -1)

# 检查是否已 patch
grep -q "acceptLicenseTerms" "$PUBLISH_JS" && echo "已 patch" || \
  # 在 payload 构建处加入 acceptLicenseTerms: true
  sed -i 's/skillName:/acceptLicenseTerms: true, skillName:/' "$PUBLISH_JS" && echo "patch 完成"

💡 patch 是幂等的，重复执行无害。

Step 3：查重（可选但推荐）

# 用 knot_skills 搜索是否已有同名/同功能 skill
knot_skills search "{slug关键词}"

如果发现完全重复的 skill，告知用户，询问是否继续（换 slug 或放弃）。

Step 4：执行发布

CLAWHUB_TOKEN={token} \
clawhub publish {skill_dir} \
  --slug {slug} \
  --name "{displayName}" \
  --version {version:-1.0.0} \
  --changelog "{changelog:-Initial release}" \
  --tags "{tags:-latest}"

Step 5：错误处理

遇到以下错误时，按对应方案处理：

Error: Path must be a folder → 检查传入的是目录路径还是文件路径，修正后重试

slug already taken / 409 → 在 slug 后加 -v2 或更具体的后缀，询问用户确认后重试

rate limit exceeded / 429 → 使用 qqbot-cron skill 创建定时重试任务：

约 65 分钟后执行相同的 publish 命令
任务名：clawhub-publish-retry-{slug}
完成后通知用户

400 Bad Request（含 acceptLicenseTerms） → 重新执行 Step 2 的 patch，再重试

401 Unauthorized → token 无效或已过期，请用户在 clawhub.com 重新生成

Step 6：验证上架

knot_skills search "{slug}"

发布成功后回复：

✅ 发布成功：{displayName}
📦 slug：{slug}
🌐 https://clawhub.com/skills/{slug}
安装命令：clawhub install {slug}

快速调用示例

用户说：

"把 /workspace/skills/SKILL-my-tool 发布到 clawhub，token 是 clh_abc，slug 用 my-tool"

直接执行 Step 1-6，完成后汇报结果，无需逐步确认。

Usage Guidance

This skill is suspicious rather than clearly benign. Before using it: 1) Note the metadata claims no env vars but the instructions require your clawhub token — do not paste long‑lived secrets without verifying source. 2) The skill suggests running 'npm install -g clawhub' and then searching and editing system files (publish.js). Patching global packages can require root and can alter behavior system-wide; prefer to inspect the target file yourself and back it up before allowing any automatic patch. 3) The SKILL.md calls out other CLIs (knot_skills, qqbot-cron) that are not declared — confirm those tools exist and are safe. 4) If you must use this, run it in an isolated environment (container or VM) or perform steps manually: install clawhub yourself, inspect publish.js, and run the publish command with a short‑lived token. 5) If anything seems unclear, treat the skill as untrusted and avoid giving it system or privileged access.

Capability Analysis

Type: OpenClaw Skill Name: clawhub-publish-skill Version: 1.0.0 The skill automates publishing to clawhub.com but includes a high-risk step that uses `sed` to modify the source code of the globally installed `clawhub` CLI (`publish.js`) to inject parameters. While described as a bug fix for a 400 error, the automated modification of system-level executable files and instructions to proceed without user confirmation (SKILL.md) are risky behaviors. No evidence of intentional data exfiltration or malicious backdoors was found.

Capability Assessment

⚠ Purpose & Capability

The SKILL.md describes a ClawHub publisher which legitimately needs a clawhub token and a local skill path; however the registry metadata declares no required env vars or binaries. The instructions also rely on external CLI tools (clawhub, knot_skills, qqbot-cron) and propose patching system-installed files — capabilities that are not reflected in the metadata and are broader than a simple publisher helper would normally need.

⚠ Instruction Scope

The runtime instructions tell the agent to run shell commands, install a global npm package if missing, search system library paths (/usr/local/lib, /usr/lib) for publish.js, and use sed -i to alter that file to insert acceptLicenseTerms: true. This modifies third‑party/system files outside the user's skill directory and requires elevated privileges in many environments. The doc also instructs using other tools (knot_skills, qqbot-cron) without declaring them.

⚠ Install Mechanism

There is no formal install spec (instruction-only), but the SKILL.md runs an inline install flow (npm install -g clawhub) which downloads and installs code from the network. Combined with editing global package files, this is a high-risk install pattern because it writes/executes code system-wide and isn't constrained by the registry metadata.

⚠ Credentials

The registry metadata lists no required environment variables, yet the SKILL.md explicitly requires a clawhub token and various user-supplied parameters. That mismatch is confusing and could lead to unexpected prompts for secrets. Additionally the steps may require root or write access to global npm locations to patch files, which is disproportionate for a simple publisher operation.

⚠ Persistence & Privilege

The skill is not marked always:true, but its instructions ask to modify system-wide CLI code (publish.js) and to install global npm packages — actions that can have persistent, system-level effects and generally require elevated privileges. This increases blast radius if the instructions are malicious or buggy.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install clawhub-publish-skill
After installation, invoke the skill by name or use /clawhub-publish-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

把本地 skill 目录一键发布到 clawhub，自动处理 patch/slug冲突/频率限制

Metadata

Slug clawhub-publish-skill

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Skill Publisher — ClawHub 一键发布器?

将本地 skill 目录发布到 clawhub.com 的自动化发布助手。当用户说"发布这个 skill 到 clawhub"、"把 XX skill 上传到 clawhub"、 "clawhub publish"、"发布到 clawhub" 等时触发。自动处理：token 验证、CLI bug patch、... It is an AI Agent Skill for Claude Code / OpenClaw, with 339 downloads so far.

How do I install Skill Publisher — ClawHub 一键发布器?

Run "/install clawhub-publish-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Publisher — ClawHub 一键发布器 free?

Yes, Skill Publisher — ClawHub 一键发布器 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Skill Publisher — ClawHub 一键发布器 support?

Skill Publisher — ClawHub 一键发布器 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Publisher — ClawHub 一键发布器?

It is built and maintained by antonia huang (@antonia-sz); the current version is v1.0.0.

More Skills