← Back to Skills Marketplace

Clawmart Upload

Name: Clawmart Upload
Author: rxdaozhang

by rxdaozhang · GitHub ↗ · v1.5.5 · MIT-0

cross-platform ⚠ suspicious

149

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install clawmart-upload

Description

Upload your current OpenClaw configuration to the ClawMart marketplace

README (SKILL.md)

ClawMart Upload Skill

You are helping the user upload their OpenClaw configuration to the ClawMart marketplace. Follow these steps exactly and in order.

Configuration

ClawMart API base URL: https://clawmart-gray.vercel.app
Config file: ~/.openclaw/clawmart-config.json
API endpoint: POST {base_url}/api/packs

Step 1: Check API Token

Read ~/.openclaw/clawmart-config.json. If the file does not exist or token is empty:

Tell the user:

You need a ClawMart API Token to upload. Please visit https://clawmart-gray.vercel.app/dashboard/tokens to generate one, then paste it here.

Once the user provides a token (format: cm_ followed by hex characters), save it:

{
  "token": "\x3Cuser_provided_token>",
  "base_url": "https://clawmart-gray.vercel.app"
}

Write this to ~/.openclaw/clawmart-config.json.

Step 2: Scan Workspace Files

Scan ~/.openclaw/workspace/ for OpenClaw configuration files. Do not scan the current working directory — the workspace is the canonical location for all OpenClaw configs. OpenClaw supports two naming conventions — match either format:

Default format (no prefix)	Prefixed format	Type
`SOUL.md`	`*.soul.md`	SOUL
`AGENTS.md`	`*.agents.md`	AGENTS
`BOOT.md`	`*.boot.md`	BOOT
`HEARTBEAT.md`	`*.heartbeat.md`	HEARTBEAT
`MEMORY.md`	`memory_.json` or `memory-.json`	MEMORY
`IDENTITY.md`	—	IDENTITY
`TOOLS.md`	—	TOOLS
`USER.md`	—	USER
`BOOTSTRAP.md`	—	BOOTSTRAP
`skills/.skill.md` or `skills//SKILL.md`	—	LOCAL SKILLS

Exclude any skill whose slug starts with clawmart- — these are ClawMart utility skills and should never be packaged or referenced in a user pack.

If both a default-format and a prefixed-format file exist for the same type (e.g., SOUL.md AND claude.soul.md), include both and note the duplication to the user.

Skill Classification

Read ~/.openclaw/workspace/.clawhub/lock.json. This file is the authoritative record of all skills installed from clawhub.

For each skill subfolder in ~/.openclaw/workspace/skills/:

Slug is in lock.json → installed from clawhub. Read slug and version from lock.json. Record as metadata only — file contents are not included in the zip.
Slug is NOT in lock.json → user-authored locally (never installed from clawhub). Include the full SKILL.md content in the zip under skills/.

Do not use _meta.json presence to classify skills — it is unreliable. Do not scan any other directories.

Show the user a summary:

Found the following OpenClaw configuration files:

SOUL:          SOUL.md
AGENTS:        AGENTS.md
IDENTITY:      IDENTITY.md
HEARTBEAT:     HEARTBEAT.md
MEMORY:        MEMORY.md
TOOLS:         TOOLS.md
USER:          USER.md
CLAWHUB SKILLS (installed via clawhub, metadata only):
  - \x3Cskill-slug-1>   (v1.0.0)
  - \x3Cskill-slug-2>   (v2.1.0)
LOCAL SKILLS (not in clawhub, full content included):
  - \x3Cmy-custom-skill>

Include all? Or exclude specific files? (all / enter filenames to exclude)

If lock.json does not exist, treat all skills as clawhub skills and note this to the user.

Wait for user confirmation before proceeding.

Step 3: Sensitive Information Check

Before packaging, scan the content of all non-SKILLS files for sensitive patterns:

Strings matching (sk-|cm_|ghp_|ghs_|ghu_)[A-Za-z0-9]{20,} (API keys/tokens)
Strings matching (password|passwd|secret|api_key)\s*[:=]\s*\S+ (credentials)
Any string longer than 20 chars after Bearer or Token

If any sensitive pattern is found, tell the user exactly which file and line, and ask:

Sensitive information detected in {filename} at line {line}: {masked_value}. It is recommended to remove it before uploading. Continue anyway? (y/n)

Only proceed if user says yes.

Step 4: Collect Pack Metadata

Ask the user for:

Title: What is the name of this Pack? (e.g., Deep Research Analyst)
Description: Brief description of the Pack's purpose and features (optional)
Version: Version number? (default: 1.0.0)

Check ClawMart if the user already has a pack with the same title:

GET {base_url}/api/packs/search?q={title}
Authorization: Bearer {token}

If a matching pack already exists, ask:

A pack named "{title}" already exists. Upload as new version {new_version}? (y/n)

If yes, note this for the upload.

Step 5: Build Upload Payload

Construct the files array for the JSON payload:

For each non-skill OpenClaw file confirmed in Step 2, add:
```
{ "name": "\x3Cfilename>", "content": "\x3Cfull file text>" }
```
Use just the filename (no path prefix) — e.g., "SOUL.md", "AGENTS.md", "memory_projects.json".
For each local skill (user-authored, no _meta.json) confirmed in Step 2, add:
```
{ "name": "skills/\x3Cfilename>", "content": "\x3Cfull SKILL.md text>" }
```
Preserve the skills/ prefix so the server can classify them correctly.

If there are any external (clawhub) skills, add a skills-manifest.json entry:

{
  "name": "skills-manifest.json",
  "content": "{\"clawhub_skills\": [{\"slug\": \"...\", \"version\": \"...\", \"ownerId\": \"...\"}]}"
}

Only include this entry if there is at least one external skill.

Step 6: Upload to ClawMart

Send the upload request:

POST {base_url}/api/packs
Authorization: Bearer {token}
Content-Type: application/json

{
  "title": "\x3Cuser provided title>",
  "description": "\x3Cuser provided description>",
  "version": "\x3Cversion>",
  "files": [ ...files array from Step 5... ]
}

On success (HTTP 201), tell the user:

Pack "{title}" has been submitted for review. It is typically approved within 24 hours. View status: {base_url}/dashboard/packs

On error, show the error message and stop.

Notes

Local skill file contents are included directly in the JSON payload under the skills/ prefix
External skills are recorded in skills-manifest.json — slug, version, and ownerId only, no file content
The token is stored locally and reused on future uploads
If the token is rejected (401), ask the user to generate a new one at {base_url}/dashboard/tokens

Usage Guidance

Before installing or running this skill: (1) Verify the upload endpoint (the SKILL.md targets https://clawmart-gray.vercel.app) is the official ClawMart service you trust. (2) Review the list of files the skill will package; remove or redact any secrets (API keys, passwords, tokens) before uploading — the skill will warn if it finds patterns but will upload if you confirm. (3) Be aware the provided token is stored in ~/.openclaw/clawmart-config.json in plaintext. (4) If you have doubts about the target domain or the origin of this skill (source/homepage unknown), consider manually packaging and uploading instead of giving the agent direct permission to read your workspace and send data.

Capability Analysis

Type: OpenClaw Skill Name: clawmart-upload Version: 1.5.5 The skill is designed to package and exfiltrate the user's entire OpenClaw configuration directory (including files like IDENTITY.md and USER.md) to an external Vercel-hosted endpoint (https://clawmart-gray.vercel.app). While it includes a basic sensitive information scanner in SKILL.md (Step 3) and requires user confirmation before uploading, the broad collection of configuration data poses a high risk of accidental data leakage. The behavior is consistent with the stated purpose of a marketplace uploader, but the potential for bulk exfiltration of personal agent configurations warrants a suspicious classification.

Capability Assessment

✓ Purpose & Capability

The name/description (upload OpenClaw config to ClawMart) matches the runtime instructions: reading ~/.openclaw/workspace, collecting OpenClaw files and local skills, building a JSON payload, and sending it to a ClawMart API with a user-provided token. Writing a small config file to ~/.openclaw/clawmart-config.json to store the token is consistent with the stated purpose.

ℹ Instruction Scope

Instructions are precise about paths (~/.openclaw/workspace, lock.json, skills/). They include a scan for sensitive patterns and will prompt the user if any are found, but they do not automatically scrub secrets — if the user confirms, those files will be uploaded. This is coherent with the upload purpose but increases the risk of accidental secret exfiltration if the user approves an upload without removing secrets first.

✓ Install Mechanism

Instruction-only skill with no install spec and no binaries to install or run. No code is written by the installer beyond the normal write-to-home behavior described in the SKILL.md (saving the API token).

ℹ Credentials

The skill requests no environment variables or external credentials automatically, but it instructs the user to paste a ClawMart API token which it will save to ~/.openclaw/clawmart-config.json in plaintext. That is proportional to the upload task, but users should be aware their token will be stored locally and that the skill can send any file confirmed for upload to the specified base URL.

✓ Persistence & Privilege

always is false and the skill does not request system-level privileges. It will write a single config file in the user's OpenClaw config directory and read the workspace directory as needed—behavior consistent with its purpose.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install clawmart-upload
After installation, invoke the skill by name or use /clawmart-upload
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.5.5

clawmart-upload 1.5.5 - Removed use of _meta.json for skill classification to improve reliability. - Now excludes any skill whose slug starts with clawmart- from packaging or references (ClawMart utility skills). - No longer uses presence of _meta.json; skills are classified only via lock.json. - Updated documentation to reflect these changes. - Removed the _meta.json file from the repository.

v1.5.4

- Added new file `_meta.json` for metadata management. - No changes to the main logic, documentation, or functionality. - Version remains at 1.5.0 in SKILL.md; only metadata file was introduced.

v1.5.3

- Skill logic for classifying installed skills was changed to rely on `.clawhub/lock.json` instead of `_meta.json`. - Now, only skills not present in `lock.json` are treated as local and have their contents included. - If `lock.json` is missing, all skills are treated as clawhub (external). - User confirmation step updated: prompt now shows which skills are classified as clawhub (metadata only) and which as local skills (full content). - Previous method (classify all missing `_meta.json` as clawhub) is no longer used; lock file is now mandatory for accurate classification.

v1.5.2

clawmart-upload v1.5.2 Changelog - Documentation (SKILL.md) was updated to clarify usage details. - No functional changes to the skill logic or code.

v1.5.1

**Skill: clawmart-upload v1.5.1** - Updated skill manifest and file packaging process to new ClawMart API JSON-based format. - All skills in `~/.openclaw/workspace/skills/` are now treated as clawhub (external) skills by default; skill file contents are only included if explicitly marked as private/unpublished by the user. - ZIP packaging replaced with an in-memory JSON payload containing selected files and skills. - Improved user confirmation flow, requiring users to specify which skills (if any) are private before packaging. - Removed reliance on `_meta.json` for differentiating local/external skills; uses skill folder and SKILL.md frontmatter instead. - Removed legacy `_meta.json` from the repository.

v1.5.0

- Added _meta.json file to the skill package for improved metadata management. - No changes to skill logic or user experience. - Version updated to 1.5.0.

v1.0.4

**Major update: skill file discovery now only scans the OpenClaw workspace directory, and skill classification logic has changed.** - Only files in `~/.openclaw/workspace/` are scanned; external directories like `~/.claude/` and plugins are no longer included. - Skill classification improved: - User-authored skills (no `_meta.json`) are included as file content. - Clawhub-installed skills (with `_meta.json`) are recorded as metadata in the manifest only. - Updated user confirmation and summary messaging to reflect the new file inclusion rules. - `skills-manifest.json` now uses `clawhub_skills` with slug, version, and ownerId. - No other workflow or API changes.

v1.0.3

- Now scans only `~/.openclaw/workspace/` for OpenClaw configuration files (no longer scans the current working directory). - Updates the definition of LOCAL SKILLS to include `skills/*.skill.md` or `skills/*/SKILL.md` found in the workspace. - Ensures the workspace is the canonical location for all OpenClaw configs. - Documentation improvements to clarify workspace usage and locations.

v1.0.2

- Added support for new OpenClaw default file naming conventions (e.g., SOUL.md, AGENTS.md, etc.) alongside legacy prefixed patterns. - Expanded configuration file type detection to include IDENTITY.md, TOOLS.md, USER.md, and BOOTSTRAP.md. - If both default and prefixed files exist for a type, both are included; the user is notified about duplicates. - Updated summary display and packaging logic to reflect new file types and folder structure. - Version bump to 1.2.0.

v1.0.1

**Summary:** Significant update to packaging and workflow for uploading OpenClaw configurations to ClawMart. - Expanded skill/file scan: now searches current directory and workspace, and also detects external skills as metadata. - Local skill files are packaged under `skills/` in the zip; external skills are no longer included, but their metadata is documented in `skills-manifest.json`. - Streamlined user prompts for file inclusion/exclusion and clearer summaries of what's being uploaded. - Improved sensitive information scan with consistent user prompts and masking. - System/ClawHub skills are always excluded; workflow now cleaner with improved step-by-step instructions. - On upload, user receives direct review status information and clear error handling.

v1.0.0

ClawMart Upload 1.0.0 — Initial Release - Enables uploading your original OpenClaw configuration and self-made skills to the ClawMart marketplace. - Guides you step-by-step: checks API token, scans workspace, confirms which files/skills are included, checks for sensitive info, collects metadata, zips, and uploads. - Distinguishes between user-created ([自制]) and external ([外部]) skills for copyright safety. - Warns and requests confirmation before uploading any non-original or sensitive files. - Automatically prepares, uploads, and cleans up your pack—streamlining sharing with the OpenClaw community.

Metadata

Slug clawmart-upload

Version 1.5.5

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 11

Frequently Asked Questions

What is Clawmart Upload?

Upload your current OpenClaw configuration to the ClawMart marketplace. It is an AI Agent Skill for Claude Code / OpenClaw, with 149 downloads so far.

How do I install Clawmart Upload?

Run "/install clawmart-upload" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Clawmart Upload free?

Yes, Clawmart Upload is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Clawmart Upload support?

Clawmart Upload is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Clawmart Upload?

It is built and maintained by rxdaozhang (@rxdaozhang); the current version is v1.5.5.

More Skills