← 返回 Skills 市场

Skill Publisher — ClawHub 一键发布器

Name: Skill Publisher — ClawHub 一键发布器
Author: antonia-sz

作者 antonia huang · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

339

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clawhub-publish-skill

功能描述

将本地 skill 目录发布到 clawhub.com 的自动化发布助手。当用户说"发布这个 skill 到 clawhub"、"把 XX skill 上传到 clawhub"、 "clawhub publish"、"发布到 clawhub" 等时触发。自动处理：token 验证、CLI bug patch、...

使用说明 (SKILL.md)

ClawHub Publisher — Skill 自动发布器

把本地 skill 目录一键发布到 clawhub.com，自动处理所有已知坑。

需要用户提供

参数	说明	示例
`skill 目录路径`	本地 skill 文件夹（必须包含 SKILL.md）	`/root/.openclaw/workspace/skills/SKILL-xxx`
`clawhub token`	格式 `clh_xxx`，clawhub.com → Profile → API Keys 获取	`clh_7XoVic...`
`slug`	URL 名称，全小写+连字符	`my-skill-name`
`displayName`	展示名称	`My Skill — 一句话描述`
`tags`	逗号分隔（可选）	`productivity,writing`

如果缺少任何必填项，只问缺少的那个，不要重复已知信息。

执行流程

Step 1：环境检查

# 确认 clawhub CLI 已安装
which clawhub || npm install -g clawhub
clawhub --version

# 确认 skill 目录存在且包含 SKILL.md
ls {skill_dir}/SKILL.md

Step 2：Patch CLI（如需要）

clawhub CLI 存在一个 bug：publish 时 payload 缺少 acceptLicenseTerms: true，服务端会返回 400。

检查并修复：

PUBLISH_JS=$(find /usr/local/lib /usr/lib -name "publish.js" -path "*/clawhub/*" 2>/dev/null | head -1)

# 检查是否已 patch
grep -q "acceptLicenseTerms" "$PUBLISH_JS" && echo "已 patch" || \
  # 在 payload 构建处加入 acceptLicenseTerms: true
  sed -i 's/skillName:/acceptLicenseTerms: true, skillName:/' "$PUBLISH_JS" && echo "patch 完成"

💡 patch 是幂等的，重复执行无害。

Step 3：查重（可选但推荐）

# 用 knot_skills 搜索是否已有同名/同功能 skill
knot_skills search "{slug关键词}"

如果发现完全重复的 skill，告知用户，询问是否继续（换 slug 或放弃）。

Step 4：执行发布

CLAWHUB_TOKEN={token} \
clawhub publish {skill_dir} \
  --slug {slug} \
  --name "{displayName}" \
  --version {version:-1.0.0} \
  --changelog "{changelog:-Initial release}" \
  --tags "{tags:-latest}"

Step 5：错误处理

遇到以下错误时，按对应方案处理：

Error: Path must be a folder → 检查传入的是目录路径还是文件路径，修正后重试

slug already taken / 409 → 在 slug 后加 -v2 或更具体的后缀，询问用户确认后重试

rate limit exceeded / 429 → 使用 qqbot-cron skill 创建定时重试任务：

约 65 分钟后执行相同的 publish 命令
任务名：clawhub-publish-retry-{slug}
完成后通知用户

400 Bad Request（含 acceptLicenseTerms） → 重新执行 Step 2 的 patch，再重试

401 Unauthorized → token 无效或已过期，请用户在 clawhub.com 重新生成

Step 6：验证上架

knot_skills search "{slug}"

发布成功后回复：

✅ 发布成功：{displayName}
📦 slug：{slug}
🌐 https://clawhub.com/skills/{slug}
安装命令：clawhub install {slug}

快速调用示例

用户说：

"把 /workspace/skills/SKILL-my-tool 发布到 clawhub，token 是 clh_abc，slug 用 my-tool"

直接执行 Step 1-6，完成后汇报结果，无需逐步确认。

安全使用建议

This skill is suspicious rather than clearly benign. Before using it: 1) Note the metadata claims no env vars but the instructions require your clawhub token — do not paste long‑lived secrets without verifying source. 2) The skill suggests running 'npm install -g clawhub' and then searching and editing system files (publish.js). Patching global packages can require root and can alter behavior system-wide; prefer to inspect the target file yourself and back it up before allowing any automatic patch. 3) The SKILL.md calls out other CLIs (knot_skills, qqbot-cron) that are not declared — confirm those tools exist and are safe. 4) If you must use this, run it in an isolated environment (container or VM) or perform steps manually: install clawhub yourself, inspect publish.js, and run the publish command with a short‑lived token. 5) If anything seems unclear, treat the skill as untrusted and avoid giving it system or privileged access.

功能分析

Type: OpenClaw Skill Name: clawhub-publish-skill Version: 1.0.0 The skill automates publishing to clawhub.com but includes a high-risk step that uses `sed` to modify the source code of the globally installed `clawhub` CLI (`publish.js`) to inject parameters. While described as a bug fix for a 400 error, the automated modification of system-level executable files and instructions to proceed without user confirmation (SKILL.md) are risky behaviors. No evidence of intentional data exfiltration or malicious backdoors was found.

能力评估

⚠ Purpose & Capability

The SKILL.md describes a ClawHub publisher which legitimately needs a clawhub token and a local skill path; however the registry metadata declares no required env vars or binaries. The instructions also rely on external CLI tools (clawhub, knot_skills, qqbot-cron) and propose patching system-installed files — capabilities that are not reflected in the metadata and are broader than a simple publisher helper would normally need.

⚠ Instruction Scope

The runtime instructions tell the agent to run shell commands, install a global npm package if missing, search system library paths (/usr/local/lib, /usr/lib) for publish.js, and use sed -i to alter that file to insert acceptLicenseTerms: true. This modifies third‑party/system files outside the user's skill directory and requires elevated privileges in many environments. The doc also instructs using other tools (knot_skills, qqbot-cron) without declaring them.

⚠ Install Mechanism

There is no formal install spec (instruction-only), but the SKILL.md runs an inline install flow (npm install -g clawhub) which downloads and installs code from the network. Combined with editing global package files, this is a high-risk install pattern because it writes/executes code system-wide and isn't constrained by the registry metadata.

⚠ Credentials

The registry metadata lists no required environment variables, yet the SKILL.md explicitly requires a clawhub token and various user-supplied parameters. That mismatch is confusing and could lead to unexpected prompts for secrets. Additionally the steps may require root or write access to global npm locations to patch files, which is disproportionate for a simple publisher operation.

⚠ Persistence & Privilege

The skill is not marked always:true, but its instructions ask to modify system-wide CLI code (publish.js) and to install global npm packages — actions that can have persistent, system-level effects and generally require elevated privileges. This increases blast radius if the instructions are malicious or buggy.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clawhub-publish-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /clawhub-publish-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

把本地 skill 目录一键发布到 clawhub，自动处理 patch/slug冲突/频率限制

元数据

Slug clawhub-publish-skill

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题