← Back to Skills Marketplace
Clawhub Publish Security
by
Vilém Kužel
· GitHub ↗
· v1.0.1
· MIT-0
50
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install clawhub-publish-security
Description
Automated pre-publish scanner that detects and blocks sensitive data like credentials, tokens, emails, and personal paths in ClawHub skills.
README (SKILL.md)
ClawHub Publish Security Skill 🔒
Description
Mandatory security scanner for ClawHub skill publication. Automatically detects and prevents accidental exposure of sensitive information in skills before publication.
When to Use This Skill
ALWAYS run before clawhub publish:
- Publishing your first skill
- Updating existing skills
- Any skill that contains configuration examples
- Scripts that handle credentials or paths
Installation
# Install via ClawHub
clawhub install clawhub-publish-security
# The skill installs:
# - security-scan.py (automated scanner)
# - README.md (complete security guide)
# - SKILL.md (this file)
Usage
Quick Scan
# Scan a skill before publication
python skills/clawhub-publish-security/security-scan.py skills/your-skill
# Or from skill directory
cd skills/your-skill
python ../clawhub-publish-security/security-scan.py .
Pre-Publish Workflow
# 1. Create your skill
cd skills/my-awesome-skill
# 2. Run security scan
python ../clawhub-publish-security/security-scan.py .
# 3. Fix any issues found
# 4. Re-run scan until clean
python ../clawhub-publish-security/security-scan.py .
# 5. Publish only when scan passes
clawhub publish . --slug my-awesome-skill
What It Checks
❌ Blocked Patterns (Will Fail Scan)
| Type | Pattern | Example (❌ BAD) | Fix (✅ GOOD) |
|---|---|---|---|
| Phone Numbers | +420..., +1... |
+420XXXXXXXXX |
\x3CYOUR_PHONE_NUMBER> |
| Personal Paths | `Users\ | ||
| ame` | C:\COMFYUI |
C:\ComfyUI |
|
| API Keys | api_key=XXX |
api_key=sk-XXX |
os.environ.get("API_KEY") |
| Tokens | token=XXX |
token=ghp_XXX |
\x3CYOUR_TOKEN> |
| Emails | [email protected] |
[email protected] |
\x3CYOUR_EMAIL> |
| Passwords | password=XXX |
password=XXX |
\x3CYOUR_PASSWORD> |
| Secrets | secret=XXX |
secret=XXX |
\x3CYOUR_SECRET> |
✅ Allowed Patterns (Safe)
| Type | Example | Status |
|---|---|---|
| Placeholders | \x3CYOUR_PHONE_NUMBER> |
✅ Safe |
| Env vars | os.environ.get("API_KEY") |
✅ Safe |
| Generic paths | C:\ComfyUI, ~/.openclaw |
✅ Safe |
| Author name | "author": "Name (user)" |
✅ Safe |
| Public URLs | https://github.com/... |
✅ Safe |
Output Examples
Clean Scan ✅
============================================================
[LOCK] ClawHub Publish Security Scanner
============================================================
[DIR] Scanning: C:\Users\vilda\.openclaw\workspace\skills\your-skill
[OK] Phone Numbers: CLEAN (0 found)
[OK] Personal Paths: CLEAN (0 found)
[OK] API Keys: CLEAN (0 found)
[OK] Tokens: CLEAN (0 found)
[OK] Emails: CLEAN (0 found)
[OK] Passwords: CLEAN (0 found)
[OK] Secrets: CLEAN (0 found)
[PASS] ALL CHECKS PASSED - Ready for publication!
[OK] You can now safely run: clawhub publish
Failed Scan ❌
============================================================
[LOCK] ClawHub Publish Security Scanner
============================================================
[DIR] Scanning: C:\Users\vilda\.openclaw\workspace\skills\your-skill
[FAIL] Phone Numbers: FOUND (1 issue)
- config.json:15: "+420XXXXXXXXX"
[OK] Personal Paths: CLEAN (0 found)
[OK] API Keys: CLEAN (0 found)
...
============================================================
[FAIL] SECURITY ISSUES FOUND - Do NOT publish!
Total issues: 1
============================================================
[INFO] How to fix:
- Phone numbers: Replace with \x3CYOUR_PHONE_NUMBER>
[FAIL] After fixing, re-run: python security-scan.py /path/to/skill
[OK] Only publish when ALL checks pass!
Files to Scan
Always Scan These:
| File | Risk Level | Common Issues |
|---|---|---|
*.py, *.js |
🔴 High | Hardcoded credentials |
config.json |
🔴 High | API keys, tokens |
*.sh, *.ps1 |
🔴 High | Personal paths |
README.md |
🟡 Medium | Example values |
SKILL.md |
🟡 Medium | Config examples |
Safe to Skip:
| File | Reason |
|---|---|
*.md (docs only) |
Low risk, but still scanned |
LICENSE |
No credentials |
.gitignore |
No credentials |
Integration
OpenClaw Pre-Publish Hook
Add to your workflow:
# Before every publish
alias clawhub-publish="python skills/clawhub-publish-security/security-scan.py . && clawhub publish"
# Usage
clawhub-publish . --slug my-skill
CI/CD Pipeline
# GitHub Actions example
- name: Security Scan
run: python skills/clawhub-publish-security/security-scan.py ./skills/my-skill
- name: Publish to ClawHub
if: success()
run: clawhub publish ./skills/my-skill
Best Practices
DO ✅
# Environment variables
api_key = os.environ.get("API_KEY")
# Generic paths
comfyui_path = r"C:\ComfyUI"
# Placeholders in docs
"target": "\x3CYOUR_PHONE_NUMBER>"
# Author attribution
"author": "Name (username)"
DON'T ❌
# Hardcoded credentials
api_key = "sk-XXX"
# Personal paths
comfyui_path = r"C:\\x3Cname>\ComfyUI"
# Real values in examples
"target": "+420XXXXXXXXX"
Troubleshooting
False Positive: Email in Author Field
Problem: Scanner flags email in author attribution
Solution: This is intentional - emails should not be in published skills. Use:
"author": "Name (username)"
False Positive: Generic Path
Problem: C:\Program Files flagged
Solution: This is a system path, should be safe. If flagged, report as bug.
Scan Hangs
Problem: Scan takes too long
Solution: Check for large files or binary files. Add to .gitignore.
Related Skills
- clawhub-smart-updater - Safe skill updates
- openclaw-safe-audit - Security audit for OpenClaw
- edgeone-clawscan - Tencent security scanner
License
MIT-0 - Free to use, modify, and redistribute without attribution.
Author
Klepeto 🦞 (vilda)
Created: 2026-05-07
Purpose: Prevent security incidents in published ClawHub skills
Changelog
1.0.0 (2026-05-07)
- Initial release
- Automated security scanning
- Pattern detection for 7 sensitive data types
- Pre-publish checklist
- CI/CD integration support
Usage Guidance
This skill appears reasonable to use as a local pre-publish helper. Run it only on the skill folder you intend to publish, keep any failed-scan output private, and do not treat a clean pass or the self-authored vetting report as complete security assurance.
Capability Analysis
Type: OpenClaw Skill
Name: clawhub-publish-security
Version: 1.0.1
The skill is a legitimate security utility designed to scan local directories for sensitive information (API keys, passwords, phone numbers) before publication to ClawHub. The core logic in `security-scan.py` uses regular expressions to identify potential leaks and provides remediation advice without any network activity, data exfiltration, or persistence mechanisms. The documentation (SKILL.md, README.md, and VETTING_REPORT.md) is transparent, consistent with the tool's defensive purpose, and contains no malicious instructions or prompt-injection attempts.
Capability Tags
Capability Assessment
Purpose & Capability
The stated purpose matches the code: it scans files for credential-like and personal-data patterns. The noteworthy behavior is expected for the purpose, but it handles sensitive matches directly.
Instruction Scope
The instructions show user-run commands, optional shell aliases, and CI examples before publishing; there is no evidence of hidden autonomous publishing, approval suppression, or goal hijacking.
Install Mechanism
No install script or package dependency is used; the runnable Python script is included and visible. Users still need a local Python interpreter for the documented commands.
Credentials
The scan target is user-supplied and recursively scanned, which is proportionate for a skill directory but could be overbroad if pointed at a home directory, large repository, or shared workspace.
Persistence & Privilege
The provided code does not store results to disk, request credentials, access accounts or wallets, invoke subprocesses, or make network calls.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawhub-publish-security - After installation, invoke the skill by name or use
/clawhub-publish-security - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Added VETTING_REPORT.md explaining false positive Suspicious flag - this is a defensive security tool, not a threat.
v1.0.0
Initial release - Automated security scanner for ClawHub skill publication. Detects phone numbers, personal paths, API keys, tokens, emails, passwords, and secrets.
Metadata
Frequently Asked Questions
What is Clawhub Publish Security?
Automated pre-publish scanner that detects and blocks sensitive data like credentials, tokens, emails, and personal paths in ClawHub skills. It is an AI Agent Skill for Claude Code / OpenClaw, with 50 downloads so far.
How do I install Clawhub Publish Security?
Run "/install clawhub-publish-security" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Clawhub Publish Security free?
Yes, Clawhub Publish Security is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Clawhub Publish Security support?
Clawhub Publish Security is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Clawhub Publish Security?
It is built and maintained by Vilém Kužel (@vilda007); the current version is v1.0.1.
More Skills