← 返回 Skills 市场
Clawhub Publish Security
作者
Vilém Kužel
· GitHub ↗
· v1.0.1
· MIT-0
50
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install clawhub-publish-security
功能描述
Automated pre-publish scanner that detects and blocks sensitive data like credentials, tokens, emails, and personal paths in ClawHub skills.
使用说明 (SKILL.md)
ClawHub Publish Security Skill 🔒
Description
Mandatory security scanner for ClawHub skill publication. Automatically detects and prevents accidental exposure of sensitive information in skills before publication.
When to Use This Skill
ALWAYS run before clawhub publish:
- Publishing your first skill
- Updating existing skills
- Any skill that contains configuration examples
- Scripts that handle credentials or paths
Installation
# Install via ClawHub
clawhub install clawhub-publish-security
# The skill installs:
# - security-scan.py (automated scanner)
# - README.md (complete security guide)
# - SKILL.md (this file)
Usage
Quick Scan
# Scan a skill before publication
python skills/clawhub-publish-security/security-scan.py skills/your-skill
# Or from skill directory
cd skills/your-skill
python ../clawhub-publish-security/security-scan.py .
Pre-Publish Workflow
# 1. Create your skill
cd skills/my-awesome-skill
# 2. Run security scan
python ../clawhub-publish-security/security-scan.py .
# 3. Fix any issues found
# 4. Re-run scan until clean
python ../clawhub-publish-security/security-scan.py .
# 5. Publish only when scan passes
clawhub publish . --slug my-awesome-skill
What It Checks
❌ Blocked Patterns (Will Fail Scan)
| Type | Pattern | Example (❌ BAD) | Fix (✅ GOOD) |
|---|---|---|---|
| Phone Numbers | +420..., +1... |
+420XXXXXXXXX |
\x3CYOUR_PHONE_NUMBER> |
| Personal Paths | `Users\ | ||
| ame` | C:\COMFYUI |
C:\ComfyUI |
|
| API Keys | api_key=XXX |
api_key=sk-XXX |
os.environ.get("API_KEY") |
| Tokens | token=XXX |
token=ghp_XXX |
\x3CYOUR_TOKEN> |
| Emails | [email protected] |
[email protected] |
\x3CYOUR_EMAIL> |
| Passwords | password=XXX |
password=XXX |
\x3CYOUR_PASSWORD> |
| Secrets | secret=XXX |
secret=XXX |
\x3CYOUR_SECRET> |
✅ Allowed Patterns (Safe)
| Type | Example | Status |
|---|---|---|
| Placeholders | \x3CYOUR_PHONE_NUMBER> |
✅ Safe |
| Env vars | os.environ.get("API_KEY") |
✅ Safe |
| Generic paths | C:\ComfyUI, ~/.openclaw |
✅ Safe |
| Author name | "author": "Name (user)" |
✅ Safe |
| Public URLs | https://github.com/... |
✅ Safe |
Output Examples
Clean Scan ✅
============================================================
[LOCK] ClawHub Publish Security Scanner
============================================================
[DIR] Scanning: C:\Users\vilda\.openclaw\workspace\skills\your-skill
[OK] Phone Numbers: CLEAN (0 found)
[OK] Personal Paths: CLEAN (0 found)
[OK] API Keys: CLEAN (0 found)
[OK] Tokens: CLEAN (0 found)
[OK] Emails: CLEAN (0 found)
[OK] Passwords: CLEAN (0 found)
[OK] Secrets: CLEAN (0 found)
[PASS] ALL CHECKS PASSED - Ready for publication!
[OK] You can now safely run: clawhub publish
Failed Scan ❌
============================================================
[LOCK] ClawHub Publish Security Scanner
============================================================
[DIR] Scanning: C:\Users\vilda\.openclaw\workspace\skills\your-skill
[FAIL] Phone Numbers: FOUND (1 issue)
- config.json:15: "+420XXXXXXXXX"
[OK] Personal Paths: CLEAN (0 found)
[OK] API Keys: CLEAN (0 found)
...
============================================================
[FAIL] SECURITY ISSUES FOUND - Do NOT publish!
Total issues: 1
============================================================
[INFO] How to fix:
- Phone numbers: Replace with \x3CYOUR_PHONE_NUMBER>
[FAIL] After fixing, re-run: python security-scan.py /path/to/skill
[OK] Only publish when ALL checks pass!
Files to Scan
Always Scan These:
| File | Risk Level | Common Issues |
|---|---|---|
*.py, *.js |
🔴 High | Hardcoded credentials |
config.json |
🔴 High | API keys, tokens |
*.sh, *.ps1 |
🔴 High | Personal paths |
README.md |
🟡 Medium | Example values |
SKILL.md |
🟡 Medium | Config examples |
Safe to Skip:
| File | Reason |
|---|---|
*.md (docs only) |
Low risk, but still scanned |
LICENSE |
No credentials |
.gitignore |
No credentials |
Integration
OpenClaw Pre-Publish Hook
Add to your workflow:
# Before every publish
alias clawhub-publish="python skills/clawhub-publish-security/security-scan.py . && clawhub publish"
# Usage
clawhub-publish . --slug my-skill
CI/CD Pipeline
# GitHub Actions example
- name: Security Scan
run: python skills/clawhub-publish-security/security-scan.py ./skills/my-skill
- name: Publish to ClawHub
if: success()
run: clawhub publish ./skills/my-skill
Best Practices
DO ✅
# Environment variables
api_key = os.environ.get("API_KEY")
# Generic paths
comfyui_path = r"C:\ComfyUI"
# Placeholders in docs
"target": "\x3CYOUR_PHONE_NUMBER>"
# Author attribution
"author": "Name (username)"
DON'T ❌
# Hardcoded credentials
api_key = "sk-XXX"
# Personal paths
comfyui_path = r"C:\\x3Cname>\ComfyUI"
# Real values in examples
"target": "+420XXXXXXXXX"
Troubleshooting
False Positive: Email in Author Field
Problem: Scanner flags email in author attribution
Solution: This is intentional - emails should not be in published skills. Use:
"author": "Name (username)"
False Positive: Generic Path
Problem: C:\Program Files flagged
Solution: This is a system path, should be safe. If flagged, report as bug.
Scan Hangs
Problem: Scan takes too long
Solution: Check for large files or binary files. Add to .gitignore.
Related Skills
- clawhub-smart-updater - Safe skill updates
- openclaw-safe-audit - Security audit for OpenClaw
- edgeone-clawscan - Tencent security scanner
License
MIT-0 - Free to use, modify, and redistribute without attribution.
Author
Klepeto 🦞 (vilda)
Created: 2026-05-07
Purpose: Prevent security incidents in published ClawHub skills
Changelog
1.0.0 (2026-05-07)
- Initial release
- Automated security scanning
- Pattern detection for 7 sensitive data types
- Pre-publish checklist
- CI/CD integration support
安全使用建议
This skill appears reasonable to use as a local pre-publish helper. Run it only on the skill folder you intend to publish, keep any failed-scan output private, and do not treat a clean pass or the self-authored vetting report as complete security assurance.
功能分析
Type: OpenClaw Skill
Name: clawhub-publish-security
Version: 1.0.1
The skill is a legitimate security utility designed to scan local directories for sensitive information (API keys, passwords, phone numbers) before publication to ClawHub. The core logic in `security-scan.py` uses regular expressions to identify potential leaks and provides remediation advice without any network activity, data exfiltration, or persistence mechanisms. The documentation (SKILL.md, README.md, and VETTING_REPORT.md) is transparent, consistent with the tool's defensive purpose, and contains no malicious instructions or prompt-injection attempts.
能力标签
能力评估
Purpose & Capability
The stated purpose matches the code: it scans files for credential-like and personal-data patterns. The noteworthy behavior is expected for the purpose, but it handles sensitive matches directly.
Instruction Scope
The instructions show user-run commands, optional shell aliases, and CI examples before publishing; there is no evidence of hidden autonomous publishing, approval suppression, or goal hijacking.
Install Mechanism
No install script or package dependency is used; the runnable Python script is included and visible. Users still need a local Python interpreter for the documented commands.
Credentials
The scan target is user-supplied and recursively scanned, which is proportionate for a skill directory but could be overbroad if pointed at a home directory, large repository, or shared workspace.
Persistence & Privilege
The provided code does not store results to disk, request credentials, access accounts or wallets, invoke subprocesses, or make network calls.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install clawhub-publish-security - 安装完成后,直接呼叫该 Skill 的名称或使用
/clawhub-publish-security触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Added VETTING_REPORT.md explaining false positive Suspicious flag - this is a defensive security tool, not a threat.
v1.0.0
Initial release - Automated security scanner for ClawHub skill publication. Detects phone numbers, personal paths, API keys, tokens, emails, passwords, and secrets.
元数据
常见问题
Clawhub Publish Security 是什么?
Automated pre-publish scanner that detects and blocks sensitive data like credentials, tokens, emails, and personal paths in ClawHub skills. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 50 次。
如何安装 Clawhub Publish Security?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawhub-publish-security」即可一键安装,无需额外配置。
Clawhub Publish Security 是免费的吗?
是的,Clawhub Publish Security 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Clawhub Publish Security 支持哪些平台?
Clawhub Publish Security 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Clawhub Publish Security?
由 Vilém Kužel(@vilda007)开发并维护,当前版本 v1.0.1。
推荐 Skills