← 返回 Skills 市场
tudoubudou

ClawHub Skill 发布避坑指南

作者 tudoubudou · GitHub ↗ · v1.2.1 · MIT-0
cross-platform ✓ 安全检测通过
380
总下载
0
收藏
1
当前安装
4
版本数
在 OpenClaw 中安装
/install clawhub-skill-publishing-guide
功能描述
ClawHub Skill 发布避坑指南。让你的 Skill 发布后能被搜索到,避免安全扫描导致隐藏。适用于需要发布 Skill 到 ClawHub 的开发者。
使用说明 (SKILL.md)

ClawHub Skill 发布避坑指南

发布前检查清单

✅ 必须避免的内容

问题类型 风险等级 解决方案
硬编码 API Keys 🔴 高 使用环境变量
HTTP 明文传输 🟡 中 添加安全警告说明
外部 URL/端点 🟢 低 正常发布
敏感信息 🔴 高 移除或环境变量
未声明环境变量 🔴 高 在 YAML front matter 中声明

✅ 推荐做法

  1. API Key 放在环境变量
# ❌ 硬编码(会被扫描拦截)
API_KEY = "sk-xxx"

# ✅ 环境变量(安全)
API_KEY = os.environ.get("API_KEY")
  1. HTTP endpoint 要警告用户
## ⚠️ 安全警告
- HTTP 明文传输,API Key 可能有泄露风险
- 仅在可信网络使用
  1. ⚠️ 必须在 YAML front matter 中声明环境变量

这是最重要的一步!如果不在 front matter 中声明,安全扫描会报警告:

---
name: my-skill
version: 1.0.0
description: 使用某个 API 的技能
metadata:
  openclaw:
    requires:
      env:
        - MY_API_KEY        # 必需的环境变量
        - MY_OPTIONAL_URL   # 可选的环境变量
    primaryEnv: MY_API_KEY  # 主要认证凭据
---

关键点

  • requires.env:列出所有需要的环境变量
  • primaryEnv:指定主要认证凭据(API Key)
  • 这样 ClawHub 才能正确识别你的 skill 需要哪些环境变量
  1. SKILL.md 正文也要说明环境变量
## 环境变量
- MY_API_KEY=xxx  # 必需
- MY_OPTIONAL_URL=http://example.com  # 可选

⚠️ 开发者协议确认(新!)

如果发布时遇到错误:acceptLicenseTerms: invalid value

说明你需要先在 ClawHub 网站上同意开发者协议:

  1. 访问 https://clawhub.ai
  2. 登录你的账户
  3. 进入 SettingsDeveloper Settings
  4. 同意开发者许可协议
  5. 然后再执行发布命令

发布命令

# 方式一:使用 clawhub CLI(需要先在网站同意开发者协议)
clawhub publish ./skills/your-skill --version 1.0.0

# 方式二:使用 curl 直接发布(支持 acceptLicenseTerms)
TOKEN=$(cat ~/.config/clawhub/config.json | jq -r '.token')
curl -X POST "https://clawhub.ai/api/v1/skills" \
  -H "Authorization: Bearer $TOKEN" \
  -F 'payload={"slug":"your-skill","displayName":"Your Skill","version":"1.0.0","changelog":"","tags":["latest"],"acceptLicenseTerms":true};type=application/json' \
  -F "[email protected];filename=SKILL.md"

注意acceptLicenseTerms: true 是必需的参数,表示同意开发者许可协议。

发布后验证

# 搜索 Skill
clawhub search your-skill-name

# 检查状态
clawhub inspect your-skill-name

常见问题

Q: Skill 被隐藏怎么办?

A: 等待安全扫描通过,或移除敏感信息重新发布

Q: 提示 hard-coded credentials 怎么办?

A: 改用环境变量,添加安全警告

Q: 版本号冲突怎么办?

A: 升级版本号,如 1.0.0 → 1.0.1

Q: 提示 acceptLicenseTerms: invalid value 怎么办?

A: 先在 ClawHub 网站上同意开发者协议,然后再发布

Q: 安全扫描报警告 "未声明环境变量" 怎么办?

A: 在 YAML front matter 中添加 metadata.openclaw.requires.env 声明:

metadata:
  openclaw:
    requires:
      env:
        - YOUR_API_KEY
    primaryEnv: YOUR_API_KEY

Q: 安全扫描说 "registry metadata claims no required env vars" 怎么办?

A: 同上,你需要在 front matter 中声明环境变量。即使代码中已经使用了 os.environ.get(),也必须在元数据中声明,否则 ClawHub 无法正确识别。

安全使用建议
This guide appears coherent and intended to help developers publish skills. Before following its commands: (1) verify SKILL.md contains no secrets before uploading (the curl example will post your file to https://clawhub.ai), (2) the curl example extracts a bearer token from ~/.config/clawhub/config.json — confirm you trust the destination and understand where the token comes from, (3) the guide assumes tools (clawhub CLI, curl, jq); ensure these are present and you trust any commands you paste into a shell, (4) consider declaring required binaries/env vars in your skill metadata as recommended so scanners don't hide your skill, and (5) if you plan to automate publishing, prefer using environment variables or an approved CLI auth flow rather than cat-ing local config files to avoid accidental credential exposure.
功能分析
Type: OpenClaw Skill Name: clawhub-skill-publishing-guide Version: 1.2.1 The skill bundle is a legitimate documentation guide (SKILL.md) designed to help developers publish skills to the ClawHub registry. It promotes security best practices by instructing users to avoid hardcoding API keys and instead use environment variables and metadata declarations. The provided shell commands for publishing via 'curl' or the 'clawhub' CLI are standard administrative tasks for this ecosystem and do not contain malicious payloads or exfiltration logic.
能力评估
Purpose & Capability
The SKILL.md content (how to publish to ClawHub, declaring env vars in front matter, curl/CLI examples) aligns with the skill's stated purpose. Minor mismatch: the instructions assume tools (clawhub CLI, curl, jq) and access to a local ClawHub config file, but the registry metadata lists no required binaries or env vars.
Instruction Scope
Instructions are generally scoped to publishing tasks, but they explicitly show commands that read a local file (~/.config/clawhub/config.json) to extract a bearer token and upload SKILL.md via curl. Reading a local token and uploading files is relevant to publishing but is sensitive — the guide doesn't warn about ensuring SKILL.md contains no secrets before uploading.
Install Mechanism
No install spec and no code files — lowest-risk form. The guide only contains shell/CLI examples and does not cause files to be downloaded or installed by the platform.
Credentials
Registry metadata declares no required env vars, while the document teaches developers to declare required env vars in SKILL.md front matter. The curl example reads a bearer token from a local config file instead of using a declared env var; this is reasonable for publishing but is a point to verify personally.
Persistence & Privilege
always is false and there is no indication the skill asks for persistent or elevated privileges or modifies other skills' configuration.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install clawhub-skill-publishing-guide
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /clawhub-skill-publishing-guide 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.1
新增触发词:发布、更新
v1.2.0
新增:YAML front matter 环境变量声明示例,解决安全扫描警告问题
v1.1.0
添加 acceptLicenseTerms 参数说明,支持 curl 直接发布方式
v1.0.0
clawhub-skill-publishing-guide v1.0.0 - Initial release providing a guide for publishing ClawHub Skills safely. - Includes a pre-publish checklist to avoid hidden or blocked Skills. - Provides solutions for common risks like hardcoded API keys and HTTP endpoints. - Offers sample code, recommended best practices, and required SKILL.md info. - Covers publishing commands, verification steps, and troubleshooting tips.
元数据
Slug clawhub-skill-publishing-guide
版本 1.2.1
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 4
常见问题

ClawHub Skill 发布避坑指南 是什么?

ClawHub Skill 发布避坑指南。让你的 Skill 发布后能被搜索到,避免安全扫描导致隐藏。适用于需要发布 Skill 到 ClawHub 的开发者。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 380 次。

如何安装 ClawHub Skill 发布避坑指南?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clawhub-skill-publishing-guide」即可一键安装,无需额外配置。

ClawHub Skill 发布避坑指南 是免费的吗?

是的,ClawHub Skill 发布避坑指南 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

ClawHub Skill 发布避坑指南 支持哪些平台?

ClawHub Skill 发布避坑指南 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 ClawHub Skill 发布避坑指南?

由 tudoubudou(@tudoubudou)开发并维护,当前版本 v1.2.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论