← Back to Skills Marketplace
dingtom336-gif

Skill Publish To Market

by dingtom336-gif · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
84
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install skill-publish-to-market
Description
Publish any SKILL.md to 4 skill markets (ClawHub, Anthropic Skills, ECC Community, skills.sh) with one command. Collects tokens, validates quality, creates P...
Usage Guidance
This skill appears to do what it claims (publish SKILL.md to ClawHub and several GitHub-based registries), but proceed with caution: - Source trust: the package has no homepage and an unknown owner; verify the origin before providing credentials. - High-privilege token: it asks for a GitHub PAT with 'repo' scope (very powerful). If possible, create a temporary, least-privilege PAT limited to what you need (or a throwaway account) and revoke it after use. - Live API calls: the skill requires curl and forces real API requests (it has a 'self-test' requiring actual API responses). Expect network activity and PR creation on your GitHub account. - Sensitive data handling: the SKILL.md instructs not to store tokens and to mask them in output, but that is an instruction — there is no enforcement. Do not paste tokens into chat logs you don't control. - Test first: run a dry-run on a small test skill or sandbox account to observe behavior (or run in an isolated environment). If you want to proceed: (1) provide the minimum-scoped tokens you can, (2) confirm the exact target repos and branches before the skill creates forks/PRs, and (3) monitor your GitHub security audit log and revoke the token after the operation if you used elevated scopes.
Capability Analysis
Type: OpenClaw Skill Name: skill-publish-to-market Version: 1.0.0 The skill automates the publishing of code to multiple marketplaces and requires high-privilege credentials, specifically GitHub Personal Access Tokens (PAT) with 'repo' and 'workflow' scopes and ClawHub tokens. It executes shell-based network operations via curl to external endpoints (api.github.com, clawhub.ai) and performs file manipulations using sed and grep. While the behavior is aligned with the stated purpose and includes explicit instructions in SKILL.md to avoid logging tokens, the handling of sensitive credentials and the potential for shell injection via unvalidated metadata or file paths in templates.md represents a significant security risk.
Capability Assessment
Purpose & Capability
The skill name/description (publish SKILL.md to multiple markets) aligns with the operations described in SKILL.md (Quality Gate, platform adaptation, PR creation, ClawHub API). However the registry metadata declared no required binaries/env but the runtime instructions explicitly require curl and other Unix utilities — metadata and runtime requirements are inconsistent.
Instruction Scope
SKILL.md contains explicit, detailed runtime steps that stay within the stated publish purpose (reading SKILL.md and reference files, validating frontmatter, calling GitHub and ClawHub APIs). Two notable instruction items expand the runtime surface: (1) a 'Self-test' rule that mandates including actual API response data in outputs (forces live network calls), and (2) batch discovery logic that may scan user directories (find) within the user-provided base path. Neither is obviously malicious but they increase the chance of live network activity and broader file system access if misused.
Install Mechanism
This is instruction-only with no install spec and no code files to execute — low install risk. The README suggests copying the folder into an agent skills directory, which is normal for agent skills. No remote downloads or extracted archives are present.
Credentials
The skill requires interactive collection of a GitHub Personal Access Token with 'repo' (full repository) and 'workflow' scopes and a ClawHub token. Those credentials are justified for creating forks/branches/files/PRs and for calling the ClawHub API, but the GitHub PAT with 'repo' scope is high privilege (it can access all repositories accessible to the token owner). The skill claims never to store tokens, but it will perform live API calls and build requests using those tokens — verify you trust the skill source before providing a powerful token. The registry metadata lists no required env vars even though the skill depends on tokens at runtime (interactive collection rather than env vars).
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request system-wide configuration changes or other skills' credentials. It suggests writing logs and optionally copying itself into an agent's skill directory, which is normal for skills and scoped to the skill itself.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-publish-to-market
  3. After installation, invoke the skill by name or use /skill-publish-to-market
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release with one-command publishing to four skill markets. - Publish any SKILL.md to ClawHub, Anthropic Skills, ECC Community, and skills.sh via curl. - Handles token collection and credential verification securely. - Validates skill quality before publishing with a mandatory pre-check. - Automatically adapts publishing workflow per platform, creates PRs, and resolves version conflicts. - Supports version bumping and PR status checking.
Metadata
Slug skill-publish-to-market
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Skill Publish To Market?

Publish any SKILL.md to 4 skill markets (ClawHub, Anthropic Skills, ECC Community, skills.sh) with one command. Collects tokens, validates quality, creates P... It is an AI Agent Skill for Claude Code / OpenClaw, with 84 downloads so far.

How do I install Skill Publish To Market?

Run "/install skill-publish-to-market" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Publish To Market free?

Yes, Skill Publish To Market is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Skill Publish To Market support?

Skill Publish To Market is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Publish To Market?

It is built and maintained by dingtom336-gif (@dingtom336-gif); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments