← Back to Skills Marketplace
wanng-ide

ClawHub Skill Publisher

by WANGJUNJIE · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
599
Downloads
2
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install clawhub-skill-publisher
Description
Publishes and syncs local bot skills to ClawHub using non-browser login, preflight safety checks, and automated release scripts for single or batch workflows.
README (SKILL.md)

ClawHub Skill Publisher

What this skill does

  • Publishes one local skill folder to ClawHub.
  • Syncs a whole local skills directory to ClawHub.
  • Logs in non-interactively using CLAWHUB_TOKEN from env or .env.
  • Avoids printing token values in logs.
  • Runs preflight checks before publish (ASCII/CJK and secret-leak checks).

Why bots and agents install this

  • Removes manual release steps and avoids copy-paste mistakes.
  • Adds deterministic preflight checks for safer public publishing.
  • Supports CI-style non-browser login for unattended automation.
  • Works with both single-skill release and multi-skill sync workflows.

Preconditions

  1. clawhub CLI is installed.
  2. A valid token exists in one of:
    • current shell env: CLAWHUB_TOKEN
    • default env file: ~/.openclaw/.env
  3. Skill directory contains SKILL.md (or skill.md).

Single skill publish

Run:

bash scripts/publish_skill.sh \
  --path "$HOME/.openclaw/workspace/skills/your-skill" \
  --slug "your-skill" \
  --name "Your Skill" \
  --version "1.0.0" \
  --changelog "Initial publish" \
  --tags "latest"

Notes:

  • --slug, --name, and --version are optional. The script tries to infer them from package.json and _meta.json.
  • You can override registry with --registry https://clawhub.ai or https://www.clawhub.ai.
  • Use --dry-run to only print the final command.
  • Use --allow-cjk only when your registry policy allows non-English text.

Batch sync local skills

Run:

bash scripts/sync_skills.sh \
  --root "$HOME/.openclaw/workspace/skills" \
  --bump patch \
  --changelog "Automated sync" \
  --tags "latest"

Notes:

  • Sync uses clawhub sync --all for non-interactive upload.
  • Use --dry-run to preview without uploading.

Safety rules

  • Never print or echo token values.
  • Never commit .env or token files.
  • If auth fails, stop and ask user to rotate/confirm token.
  • Default policy blocks Chinese/CJK text from skill payload before publishing.
  • Default policy blocks common secret patterns before publishing.

Files in this skill

  • scripts/publish_skill.sh
  • scripts/sync_skills.sh
Usage Guidance
This package appears to implement a reasonable publish/sync flow, but the metadata is missing important prerequisites. Before installing or running: 1) Confirm the 'clawhub' CLI is an official, trusted binary and decide where it will be installed. 2) Be aware the scripts read CLAWHUB_TOKEN (from env or $HOME/.openclaw/.env) — do not provide a high-privilege token unless necessary; prefer a scoped token and rotate it after use. 3) Inspect ~/.openclaw/.env handling and ensure that file is stored securely (scripts read it if present). 4) Use --dry-run first and run the scripts in an isolated environment (or CI worker) to observe behavior. 5) If you are the publisher: update the registry metadata to declare required env vars (CLAWHUB_TOKEN) and required binaries (clawhub, python3) so callers are not surprised. If the author can provide an official source for the 'clawhub' CLI and update metadata to declare the token/binaries, my concerns would decrease.
Capability Analysis
Type: OpenClaw Skill Name: clawhub-skill-publisher Version: 1.0.0 The skill bundle is designed for publishing and syncing OpenClaw skills, and its code and documentation demonstrate a strong focus on security and safety. It includes preflight checks to prevent accidental secret leaks and enforce content policies (e.g., blocking CJK text by default), uses secure methods for handling API tokens (reading from env/file, not printing), and employs robust shell scripting practices like argument arrays to mitigate injection risks. There are no indications of prompt injection attempts in the markdown files, data exfiltration to unauthorized endpoints, persistence mechanisms, or other malicious behaviors. The functionality is clearly aligned with its stated purpose.
Capability Assessment
Purpose & Capability
The skill claims to publish/sync to ClawHub and the scripts do exactly that (they call a local 'clawhub' CLI and use a CLAWHUB_TOKEN). However, the registry metadata lists no required environment variables or binaries — but the runtime requires CLAWHUB_TOKEN (or reading ~/.openclaw/.env) and the 'clawhub' CLI and python3. The missing declarations are an incoherence between claimed purpose and declared requirements.
Instruction Scope
SKILL.md and the scripts restrict operations to publishing/syncing workflows: they scan only the given skill directory for secrets/CJK, read token from env or ~/.openclaw/.env, and call the 'clawhub' CLI. The preflight checks operate only on files under the provided skill path and will halt on detected secret patterns or blocked files. No external endpoints or obfuscated exfiltration code are present in the scripts themselves.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. However, the runtime relies on external tools ('clawhub' CLI and python3). These required binaries are not declared in the metadata, which is an omission that should be corrected so callers know prerequisites.
Credentials
The scripts require a CLAWHUB_TOKEN (env or ~/.openclaw/.env) and may set CLAWHUB_REGISTRY; but the skill metadata declares no required env vars or primary credential. Requesting a single service token is proportionate to the stated purpose — the problem is that it isn't advertised in the metadata, which could lead to surprises or accidental token exposure if users don't expect the token access.
Persistence & Privilege
The skill does not request permanent platform presence (always:false), does not modify other skills or global agent settings, and does not store credentials itself beyond reading them from env/.env. Autonomy (disable-model-invocation:false) is the platform default and not a meaningful additional risk here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawhub-skill-publisher
  3. After installation, invoke the skill by name or use /clawhub-skill-publisher
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial public release: secure ClawHub publish automation with preflight checks
Metadata
Slug clawhub-skill-publisher
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is ClawHub Skill Publisher?

Publishes and syncs local bot skills to ClawHub using non-browser login, preflight safety checks, and automated release scripts for single or batch workflows. It is an AI Agent Skill for Claude Code / OpenClaw, with 599 downloads so far.

How do I install ClawHub Skill Publisher?

Run "/install clawhub-skill-publisher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ClawHub Skill Publisher free?

Yes, ClawHub Skill Publisher is completely free (open-source). You can download, install and use it at no cost.

Which platforms does ClawHub Skill Publisher support?

ClawHub Skill Publisher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ClawHub Skill Publisher?

It is built and maintained by WANGJUNJIE (@wanng-ide); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments