← 返回 Skills 市场

Clawhub Ops

Name: Clawhub Ops
Author: peand-rover

作者 peandrover adam · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

104

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clawhub-ops

功能描述

ClawHub Skill 发版、账号管理、SEO 优化、数据查询的完整操作手册。当需要发布新 Skill、切换账号、查询 downloads 数据、排查发版归属问题、验证 IP 代理时使用。包含 5 个账号的 token/IP 对照、双 config 路径陷阱、已知 CLI Bug、速率限制规则。

使用说明 (SKILL.md)

ClawHub 发版操作 SOP

发版前必做 5 步

# 1. 确认当前 token
cat "~/Library/Application Support/clawhub/config.json"

# 2. 同时写入两个 config 路径（缺一不可）
echo '{"registry":"https://clawhub.ai","token":"TOKEN"}' > ~/Library/Application\ Support/clawhub/config.json
echo '{"registry":"https://clawhub.ai","token":"TOKEN"}' > ~/.config/clawhub/config.json

# 3. 确认出口 IP（必须与账号绑定 IP 一致）
curl -s --proxy "PROXY_URL" https://api.ipify.org

# 4. 发版（必须加 --name 和 --version 参数）
HTTPS_PROXY=PROXY_URL npx clawhub@latest publish \x3Cpath> --slug \x3Cslug> --version 1.0.0 --name "\x3C长关键词名>"

# 5. 发完验证归属（8秒后）
sleep 8 && curl -sL -x http://127.0.0.1:7897 -o /dev/null -w "%{url_effective}" "https://clawhub.ai/skills/\x3Cslug>"

账号矩阵（token / proxy / IP）

详见 references/accounts.md

速率限制规则（死规定）

同一账号相邻发版间隔 ≥15 分钟（不能卡固定值，太像脚本）
不同账号可以串行（宿主机 config 文件只有一个，不能并行，否则 token 互相覆盖）
发版脚本 /Users/user/.openclaw/workspace-master/铁柱-workspace/scripts/publish-with-proxy.sh 已内置间隔检查，\x3C15 分钟直接 exit 1

已知 CLI Bug

whoami 返回缓存：永远返回第一次登录的账号名，不可信。验证归属必须 curl URL
publish 必须加 --version：不读 frontmatter version 字段，必须显式传
--name 参数必填：frontmatter displayName 不生效，必须用 --name "\x3C全称>"

macOS 双 config 路径（致命陷阱）

CLI 优先读 ~/Library/Application Support/clawhub/config.json
次级读 ~/.config/clawhub/config.json
CLAWHUB_TOKEN 环境变量在 CLI v0.9.0 中被完全忽略
切换账号必须同时更新两个路径

Downloads 数据查询

# 标准查询脚本（格式：downloads:N，无引号无空格）
bash /Users/user/.openclaw/workspace-master/shared/scripts/clawhub-downloads.sh \
  nemo-video nemo-edit nemo-subtitle ...

# 手动单个查询
curl -sL -x http://127.0.0.1:7897 "https://clawhub.ai/\x3Caccount>/\x3Cslug>" \
  | grep -o 'downloads:[0-9]*' | head -1 | cut -d: -f2

⚠️ trpc /api/trpc/skill.bySlug 和 REST /api/skills/\x3Cslug> 均已失效

SEO 策略

slug 含关键词 = 不可逾越的排名优势（score 3.0+ vs 品牌 slug 2.0）
displayName 每个词都计入向量，宁可长不删词
description 嵌入多语种关键词，一个 Skill 覆盖多语言搜索
触发词黑名单：free trial / free credits / 100 credits（触发 spam 检测）

发布审核铁律

发布前检查：

API 域名必须是 mega-api-prod.nemovideo.ai
displayName 必须是带关键词的长名（≥50字符）
无触发词（grep "free trial|free credits"）
与已发 Skill 差异度 > 40%

详细操作见 references/publish-checklist.md

安全使用建议

This package is suspicious because it ships plaintext secrets (account tokens, proxy creds, a GitHub PAT) and tells you to write them into local config files and to run npx (which executes code fetched from the network). Before installing or using it: do not run any of the provided commands on a machine with real credentials; treat the embedded tokens as compromised and rotate them if they belong to you; ask the publisher for provenance (who published this and why are secrets included); if you must test, use an isolated sandbox or disposable VM with no sensitive data; remove hard-coded secrets from the files and replace with managed secrets or prompts; avoid running 'npx ...@latest' blindly — pin versions or inspect the package first. If you didn't expect a skill to contain credentials, decline to install it.

功能分析

Type: OpenClaw Skill Name: clawhub-ops Version: 1.0.0 The skill bundle contains hardcoded sensitive credentials, including multiple ClawHub API tokens, proxy server credentials with passwords, and a GitHub Personal Access Token (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) in 'references/accounts.md'. The 'SKILL.md' file provides instructions for an AI agent to overwrite local configuration files in '~/Library/Application Support/clawhub/' and '~/.config/clawhub/', which would replace a user's own credentials with those provided in the bundle. While the content appears to be an internal operational manual for SEO and account management, the inclusion of plain-text secrets and the instructions to modify system-level configuration files pose a high security risk.

能力评估

⚠ Purpose & Capability

The skill claims to be an operations manual for publishing/account/SEO/data tasks, which can legitimately require account tokens and proxy usage. However, the package embeds five full account tokens, proxy credentials, and a GitHub PAT inside references/accounts.md while the registry metadata declares no required credentials or config paths. Embedding secrets in the skill bundle (rather than declaring them or prompting) is inconsistent and surprising for a published skill.

⚠ Instruction Scope

SKILL.md instructs the agent to read and write user config files (~/'Library/Application Support/clawhub/config.json' and ~/.config/clawhub/config.json), run network calls via proxies, and run npx to publish using HTTPS_PROXY. It also references local filesystem paths (/Users/user/.openclaw/..., ~/.config/github/pat_imo14reifey) and a local HTTP proxy (127.0.0.1:7897). Those instructions go beyond read-only documentation: they direct writing credentials to disk and executing networked commands on the host.

ℹ Install Mechanism

There is no install spec (instruction-only), which reduces installer risk. However, runtime instructions call 'npx clawhub@latest publish', which fetches and executes remote npm code dynamically. Using npx@latest is a live code download/execution vector and should be treated as non-trivial risk even though no static install is declared.

⚠ Credentials

The skill bundle contains multiple sensitive secrets (five 'clh_*' tokens, proxy credentials including username/password, and a GitHub PAT) and instructs their placement into user config files. The registry metadata did not declare any required environment variables or config paths, so the presence of those secrets is disproportionate and unexpected. Storing/using a GitHub PAT from a host path is particularly high-risk.

ℹ Persistence & Privilege

always:false and normal invocation are fine, but the instructions explicitly persist tokens into user config files and reference a workspace script path. That means the skill's recommended actions will create persistent credentials on the host (and could be reused later), which increases blast radius even though the skill itself is not marked 'always:true'.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clawhub-ops
安装完成后，直接呼叫该 Skill 的名称或使用 /clawhub-ops 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

clawhub-ops 1.0.0 — Initial release providing a comprehensive ClawHub operational manual. - Covers release process, account management, SEO optimization, and data queries. - Details critical steps for publishing, including dual config file handling, token/IP mapping, and rate limits. - Documents known CLI bugs and macOS config file priority. - Includes standard procedures for validating release attribution and querying downloads. - Outlines strict publishing and SEO rules to maximize discoverability and avoid spam triggers.

元数据

Slug clawhub-ops

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Clawhub Ops 是什么？

ClawHub Skill 发版、账号管理、SEO 优化、数据查询的完整操作手册。当需要发布新 Skill、切换账号、查询 downloads 数据、排查发版归属问题、验证 IP 代理时使用。包含 5 个账号的 token/IP 对照、双 config 路径陷阱、已知 CLI Bug、速率限制规则。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 104 次。

如何安装 Clawhub Ops？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawhub-ops」即可一键安装，无需额外配置。

Clawhub Ops 是免费的吗？

是的，Clawhub Ops 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Clawhub Ops 支持哪些平台？

Clawhub Ops 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Clawhub Ops？

由 peandrover adam（@peand-rover）开发并维护，当前版本 v1.0.0。