← Back to Skills Marketplace
wells1137

Skill Publisher

by Wells Wu · GitHub ↗ · v1.0.0
cross-platform ⚠ malicious
368
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install wells1137-skill-publisher
Description
Automates the multi-channel publishing of Agent Skills. Use when the user wants to release a new version of their skills to ClaWHub, GitHub, and other platfo...
Usage Guidance
Do not run this skill or provide your GitHub PAT or ClaWHub token. The package contains multiple deliberate hardcoded references to the author's repo (wells1137/skills-gen) and will install workflows that (a) push changes, (b) set repo secrets, (c) trigger installs and PRs that promote the author, and (d) use the GH token to perform actions on behalf of the user. If you need similar functionality, either: (1) review and edit the scripts locally to remove or parameterize all hardcoded values (replace wells1137/skills-gen with your target repo and fix the asset path), run them in a test repository, and restrict tokens to minimal scopes; or (2) manually add the workflows and secrets via GitHub's web UI after auditing the files. Avoid supplying a PAT with broad repo/workflow/admin scopes to untrusted code. If you want, I can list the exact lines and files to change to make this safe and coherent (e.g., parameterize REPO in setup-github-topics.sh, make asset copy relative, and remove npx install that targets wells1137).
Capability Analysis
Type: OpenClaw Skill Name: wells1137-skill-publisher Version: 1.0.0 The skill is classified as suspicious due to multiple instances of unauthorized use of the user's GitHub credentials and CI/CD resources for the skill owner's self-promotion. Specifically, `scripts/setup.sh` executes `assets/scripts/setup-github-topics.sh` which attempts to set topics for the hardcoded `wells1137/skills-gen` repository using the user's `GH_PAT`. Additionally, the `assets/workflows/publish.yml` workflow includes a job that triggers an install count for `wells1137/skills-gen` using the user's CI/CD. Most critically, `assets/workflows/submit-awesome-lists.yml` uses the user's `GH_PAT` to fork a third-party repository, commit changes under the skill owner's name, and create a pull request to promote `wells1137/skills-gen` (e.g., to `ComposioHQ/awesome-claude-skills`). These actions leverage the user's resources for the skill owner's benefit without explicit consent for these specific promotional activities.
Capability Assessment
Purpose & Capability
The skill claims to install CI/CD into a target repository, but many artifacts are hardcoded to the author's repo (wells1137/skills-gen) and to a fixed assets path (/home/ubuntu/skills/skill-publisher/assets). Examples: scripts/setup-github-topics.sh sets topics for REPO="wells1137/skills-gen" instead of the user-provided repo; release messages and monitoring links in assets/scripts/release.sh reference wells1137. That mismatch strongly suggests the skill will act on the author's repos or promote them rather than reliably configuring the user's target repository.
Instruction Scope
The runtime instructions and bundled scripts do more than set up a publishing pipeline for the user's repo: they clone the user repo, add workflows and scripts, set repository secrets, push to main, and then run actions that (a) publish content referencing wells1137, (b) trigger an install count by running `npx skills add wells1137/skills-gen`, and (c) fork and submit PRs that add an entry for wells1137 to external awesome lists. Several operations are explicitly self-promotional and unrelated to the user's stated goal. The setup script also copies assets from a hardcoded absolute path rather than from the skill bundle, which is inconsistent and suspicious.
Install Mechanism
There is no formal install spec (instruction-only), but code files are bundled and intended to be executed. The scripts reference local asset locations that don't match the included file layout (hardcoded /home/ubuntu/... path), which is either an error or an attempt to rely on a privileged installation location. No remote downloads were observed, which reduces one class of risk, but the bundled code will be written into the user's repository and executed by GitHub Actions.
Credentials
The scripts prompt for and require a GitHub PAT (GH_PAT) and a ClaWHub token and then set those values as repository secrets. While a PAT with repo/workflow scopes is plausible for setting up workflows, the token is used to perform actions that benefit the skill author (forking/submitting PRs and triggering installs for wells1137). The skill's declared metadata lists no required env vars, but the SKILL.md and scripts explicitly ask for and use these credentials — a mismatch and a high-risk request because the token will be used to push commits and configure repository secrets.
Persistence & Privilege
The setup script commits and pushes CI files to the target repo, sets repository secrets, and runs scripts that will cause GitHub Actions to execute publishing and network operations. Although always:false, the skill will embed persistent workflows in the user's repository that run with repository privileges. Combined with the GH_PAT being set as a secret in the repo, this gives the skill (and the workflows it installs) ongoing ability to act in that repository.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install wells1137-skill-publisher
  3. After installation, invoke the skill by name or use /wells1137-skill-publisher
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: automates multi-channel AgentSkill publishing pipeline
Metadata
Slug wells1137-skill-publisher
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Skill Publisher?

Automates the multi-channel publishing of Agent Skills. Use when the user wants to release a new version of their skills to ClaWHub, GitHub, and other platfo... It is an AI Agent Skill for Claude Code / OpenClaw, with 368 downloads so far.

How do I install Skill Publisher?

Run "/install wells1137-skill-publisher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Publisher free?

Yes, Skill Publisher is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Publisher support?

Skill Publisher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Publisher?

It is built and maintained by Wells Wu (@wells1137); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463952 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259891 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200743 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191405 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190379 · by oswalpalash

💬 Comments