← Back to Skills Marketplace
648
Downloads
0
Stars
6
Active Installs
4
Versions
Install in OpenClaw
/install clawhub-manager
Description
ClawHub 技能管理工具。封装技能的发布、删除、查询和搜索功能,方便管理 ClawHub 上的技能。
README (SKILL.md)
ClawHub 管理技能
简化 ClawHub 技能的发布、删除、查询和搜索操作。
功能特性
- ✅ 发布技能 - 将本地技能发布到 ClawHub
- ✅ 删除技能 - 从 ClawHub 删除已发布的技能
- ✅ 查询技能 - 查看技能的详细信息和统计数据
- ✅ 搜索技能 - 在 ClawHub 上搜索技能
- ✅ 列出技能 - 列出本地已安装的技能
快速开始
查询技能信息
# 查询技能详情
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/inspect.sh feishu-voice
# 查询技能统计(JSON 格式)
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/inspect.sh feishu-voice --json
搜索技能
# 搜索技能(关键词)
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/search.sh "feishu"
# 搜索技能(限制结果数量)
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/search.sh "pdf" --limit 10
列出本地技能
# 列出所有已安装的技能
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/list.sh
发布技能
# 发布技能(指定版本)
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/publish.sh \
/root/.openclaw/workspace/skills/your-skill \
--version 1.0.0 \
--changelog "首次发布"
# 发布技能(指定 slug 和名称)
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/publish.sh \
/root/.openclaw/workspace/skills/your-skill \
--slug your-slug \
--name "Your Skill Name" \
--version 1.0.0
删除技能
# 删除技能
bash /root/.openclaw/workspace/skills/clawhub-manager/scripts/delete.sh your-slug
使用场景
- 📦 批量管理 - 一次性管理多个技能的发布和删除
- 📊 数据统计 - 查看技能的下载量、安装量等统计数据
- 🔍 技能发现 - 搜索和发现有用的技能
- 🔄 版本管理 - 轻松发布新版本和更新技能
技能统计输出示例
{
"name": "Feishu Voice",
"slug": "feishu-voice",
"downloads": 19,
"installs": 1,
"stars": 0,
"versions": 2,
"updated": "2026-02-21 16:45"
}
🔒 安全注意事项
发布技能前,请确保:
-
✅ 不在技能文件中硬编码任何密钥
- 所有 API Key、Secret、Token 必须使用环境变量
- 使用占位符(如
YOUR_API_KEY_HERE)
-
✅ 敏感信息存储在环境变量中
# ✅ 正确:从环境变量读取 API_KEY="${API_KEY}" # ❌ 错误:硬编码密钥 API_KEY="tvly-YOUR_REAL_KEY_HERE" -
✅ .env 文件已添加到 .gitignore
- 防止敏感配置被提交到版本控制
-
✅ 发布前会自动进行安全扫描
- 脚本会自动检测常见密钥泄露
- 发现问题会阻止发布并提示修复
安全扫描功能
publish.sh 内置安全扫描,会自动检测:
- 🔑 API 密钥: Tavily (tvly-), OpenAI (sk-), GitHub (ghp_, gho_, ghu_, ghs_), Perplexity (pplx-), Exa (exa_)
- 🔐 App Secret: 检测
app_secret=,app-secret=等模式 - 🎫 Access Token: 检测
access_token=,access-token=等模式 - 📁 敏感文件: .env, .secrets, *.key, *.pem
- 🔧 环境变量硬编码: 检测
export API_KEY=,export SECRET=等
手动安全检查
发布前也可以手动运行检查:
# 检查常见密钥格式
grep -r "tvly-\|sk-\|ghp_\|pplx-\|exa_" \
--include="*.md" --include="*.sh" \
--include="*.py" --include="*.js"
# 检查通用密钥模式
grep -ri "api[_-]?key\s*[=:]" \
--include="*.sh" --include="*.py"
如果发现密钥泄露
- ⚠️ 立即撤销已泄露的密钥
- 🔁 重新生成新的密钥
- 📝 替换为占位符(如
YOUR_API_KEY_HERE) - 🧹 从 Git 历史中清除(如果已提交)
跳过安全扫描(不推荐)
# ⚠️ 仅在测试环境使用
bash publish.sh /path/to/skill --version 1.0.0 --skip-security
注意事项
-
权限要求
- 发布和删除技能需要登录 ClawHub
- 只能删除自己发布的技能
-
版本号规范
- 遵循语义化版本(Semantic Versioning)
- 格式:MAJOR.MINOR.PATCH(如 1.0.0)
-
slug 命名
- 只能包含小写字母、数字和连字符
- 一旦发布不能修改
-
速率限制
- ClawHub 可能有 API 速率限制
- 大量操作时建议添加延迟
作者
franklu0819-lang
许可证
MIT
Usage Guidance
This skill appears to do what it claims: run the 'clawhub' CLI to list/search/inspect/publish/delete skills and perform local security scans of skill directories. Before installing or invoking it: 1) ensure you have the official clawhub CLI installed and are comfortable with its authentication (the scripts expect you to be logged in); 2) review the publish.sh and delete.sh scripts — delete.sh performs a destructive delete (requires confirmation) and publish.sh invokes clawhub publish and can be bypassed with --skip-security (use cautiously); 3) be aware the SKILL.md uses absolute paths under /root/.openclaw/workspace/skills — if your agent workspace differs, update paths or run scripts directly; 4) the security scan is local grep-based and can produce false positives/negatives — still manually inspect anything flagged; and 5) if you enable autonomous agent invocation, remember the agent could call publish/delete functions (this is platform-default behavior), so grant the skill only to agents you trust to manage ClawHub items.
Capability Analysis
Type: OpenClaw Skill
Name: clawhub-manager
Version: 1.2.0
The clawhub-manager skill bundle is a legitimate utility designed to manage ClawHub skills via the clawhub CLI. It includes scripts for publishing, deleting, searching, and inspecting skills, with a notable emphasis on security; specifically, publish.sh and security-check.sh implement a comprehensive scanner to detect hardcoded API keys (OpenAI, GitHub, Tavily, etc.) and sensitive files (.env, .pem) before publication. The code is well-documented, follows safe scripting practices (e.g., user confirmation for deletions), and contains no evidence of malicious intent or data exfiltration.
Capability Assessment
Purpose & Capability
The name/description ask for ClawHub skill management and the skill requires only the 'clawhub' CLI. Included scripts (publish, delete, inspect, search, list, security-check, test) match the described capabilities and there are no unrelated environment variables or surprising binaries.
Instruction Scope
SKILL.md instructs the agent to run the included shell scripts (paths are absolute under /root/.openclaw/workspace/skills/...), and the scripts operate on user-supplied skill directories and call the clawhub CLI. This is within scope, but the instructions assume the skill files live at that exact workspace path and assume an authenticated clawhub CLI; the absolute paths and reliance on the local workspace are implementation details you should be aware of.
Install Mechanism
No install spec — instruction-only with bundled shell scripts. Nothing downloads or writes code from remote URLs, so disk persistence is limited to the skill's files included in the package.
Credentials
The skill declares no required env vars. The scripts scan code for many common API key patterns (OpenAI, GitHub, Tavily, Perplexity, Exa, generic API keys) which is reasonable for a pre-publish security check. The skill does call the 'clawhub' CLI which typically requires the user to be logged in; this is expected but implicit (no explicit credential env var is requested).
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modify other skills' configs. Scripts perform operations only when invoked, and deletion requires interactive confirmation.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawhub-manager - After installation, invoke the skill by name or use
/clawhub-manager - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
v1.2.0 发布:修复 ClawHub CLI v0.7.0 的 acceptLicenseTerms bug,现在 publish.sh 脚本会自动处理许可证接受问题
v1.1.1
🔒 优化安全扫描:改进占位符识别,支持 YOUR_API_KEY_HERE、YOUR-TOKEN-HERE 等格式,减少误报
v1.1.0
🔒 新增自动安全扫描功能:发布前检测密钥泄露(API Key、Secret、Token 等),支持 10+ 种密钥格式,新增 security-check.sh 和 test-security-scan.sh 脚本,添加 SECURITY.md 和 CHANGELOG.md 文档
v1.0.0
🎉 首次发布:ClawHub 技能管理工具,封装技能的发布、删除、查询和搜索功能。支持 JSON 输出、参数验证、二次确认等安全特性。
Metadata
Frequently Asked Questions
What is Clawhub Manager?
ClawHub 技能管理工具。封装技能的发布、删除、查询和搜索功能,方便管理 ClawHub 上的技能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 648 downloads so far.
How do I install Clawhub Manager?
Run "/install clawhub-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Clawhub Manager free?
Yes, Clawhub Manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Clawhub Manager support?
Clawhub Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Clawhub Manager?
It is built and maintained by xiaofei (@franklu0819-lang); the current version is v1.2.0.
More Skills