← Back to Skills Marketplace

Skill Publish

Name: Skill Publish
Author: ivangdavila

by Iván · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

954

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skill-publish

Description

Safely publish skills to ClawHub. Sanitize, format, verify, and publish without modifying your local files.

Usage Guidance

This skill appears to implement a reasonable safe-publish workflow, but double-check before using: - Confirm the agent actually follows the sanitize.md checklist and does not publish until you explicitly approve the verification prompt. Do not rely solely on automated detection. - Be cautious of the transform.md advice to 'include by default' — it makes it easier to accidentally include private items. Prefer excluding when unsure and ask the agent to highlight anything it included that looks sensitive. - The publish step uses `npx clawhub publish`; ensure you understand how ClawHub authentication will be provided (interactive login, environment variables, or token). Do not paste long-lived tokens into skill content. Prefer using ephemeral credentials or logging in interactively. - Test the workflow on a harmless example in a temp folder (/tmp/publish-test) to confirm the agent's behavior before publishing real content. - If you have any private files, secrets, or internal URLs, remove or genericize them manually rather than relying only on automated sanitization. If you want higher assurance, ask the skill-author (or the agent) to show a complete, post-sanitization preview of the exact files that will be published and confirm that no credentials or private endpoints remain.

Capability Analysis

Type: OpenClaw Skill Name: skill-publish Version: 1.0.0 The skill's primary function is to safely publish other skills, with strong emphasis on sanitization and user approval. However, the `verify.md` file instructs the agent to execute `npx clawhub publish` and `npx clawhub install` commands, which accept user-controlled parameters like `--slug` and `--name`. If the OpenClaw agent does not rigorously sanitize these user-provided strings before executing the shell command, it could lead to a command injection vulnerability (RCE). While the skill's instructions do not explicitly encourage malicious behavior, this potential for RCE via unsanitized input makes it suspicious.

Capability Assessment

ℹ Purpose & Capability

The name/description (publish skills to ClawHub) align with the instructions (transform, sanitize, verify, publish). One small inconsistency: the verify.md shows an npx clawhub publish command (which implies the presence of npm/npx and ClawHub tooling/credentials), yet the skill declares no required binaries or credentials. This is plausible (the agent may prompt the user for any required auth at runtime) but should be called out.

ℹ Instruction Scope

SKILL.md + auxiliaries stay within the publishing workflow and explicitly forbid modifying originals and require user approval. Good: clear sanitization checklist and explicit verification steps. Caution: transform.md's 'Default: Include it' guidance and the suggestion to 'When in doubt, include more' encourage conservative inclusion which can increase the risk of accidentally publishing sensitive data unless the agent rigorously follows sanitize.md and verify.md.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. Low install risk.

ℹ Credentials

The skill declares no required env vars or credentials, which is appropriate for a generic publishing helper. However, the publish step (npx clawhub publish) will require network access and ClawHub authentication in practice; the skill does not document how credentials are obtained or handled. That omission is operationally important but does not necessarily indicate malicious intent.

✓ Persistence & Privilege

always is false and the instructions explicitly require working in a separate temporary folder and never modifying original files. The skill does not ask to persist or change agent/system-level configuration. Autonomous invocation is allowed (platform default) but not by itself a concern here.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skill-publish
After installation, invoke the skill by name or use /skill-publish
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release - Safe skill publishing with sanitization

Metadata

Slug skill-publish

Version 1.0.0

License —

All-time Installs 2

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Skill Publish?

Safely publish skills to ClawHub. Sanitize, format, verify, and publish without modifying your local files. It is an AI Agent Skill for Claude Code / OpenClaw, with 954 downloads so far.

How do I install Skill Publish?

Run "/install skill-publish" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Publish free?

Yes, Skill Publish is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Publish support?

Skill Publish is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Publish?

It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.

More Skills