← 返回 Skills 市场
ivangdavila

Skill Publish

作者 Iván · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
954
总下载
2
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-publish
功能描述
Safely publish skills to ClawHub. Sanitize, format, verify, and publish without modifying your local files.
安全使用建议
This skill appears to implement a reasonable safe-publish workflow, but double-check before using: - Confirm the agent actually follows the sanitize.md checklist and does not publish until you explicitly approve the verification prompt. Do not rely solely on automated detection. - Be cautious of the transform.md advice to 'include by default' — it makes it easier to accidentally include private items. Prefer excluding when unsure and ask the agent to highlight anything it included that looks sensitive. - The publish step uses `npx clawhub publish`; ensure you understand how ClawHub authentication will be provided (interactive login, environment variables, or token). Do not paste long-lived tokens into skill content. Prefer using ephemeral credentials or logging in interactively. - Test the workflow on a harmless example in a temp folder (/tmp/publish-test) to confirm the agent's behavior before publishing real content. - If you have any private files, secrets, or internal URLs, remove or genericize them manually rather than relying only on automated sanitization. If you want higher assurance, ask the skill-author (or the agent) to show a complete, post-sanitization preview of the exact files that will be published and confirm that no credentials or private endpoints remain.
功能分析
Type: OpenClaw Skill Name: skill-publish Version: 1.0.0 The skill's primary function is to safely publish other skills, with strong emphasis on sanitization and user approval. However, the `verify.md` file instructs the agent to execute `npx clawhub publish` and `npx clawhub install` commands, which accept user-controlled parameters like `--slug` and `--name`. If the OpenClaw agent does not rigorously sanitize these user-provided strings before executing the shell command, it could lead to a command injection vulnerability (RCE). While the skill's instructions do not explicitly encourage malicious behavior, this potential for RCE via unsanitized input makes it suspicious.
能力评估
Purpose & Capability
The name/description (publish skills to ClawHub) align with the instructions (transform, sanitize, verify, publish). One small inconsistency: the verify.md shows an npx clawhub publish command (which implies the presence of npm/npx and ClawHub tooling/credentials), yet the skill declares no required binaries or credentials. This is plausible (the agent may prompt the user for any required auth at runtime) but should be called out.
Instruction Scope
SKILL.md + auxiliaries stay within the publishing workflow and explicitly forbid modifying originals and require user approval. Good: clear sanitization checklist and explicit verification steps. Caution: transform.md's 'Default: Include it' guidance and the suggestion to 'When in doubt, include more' encourage conservative inclusion which can increase the risk of accidentally publishing sensitive data unless the agent rigorously follows sanitize.md and verify.md.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. Low install risk.
Credentials
The skill declares no required env vars or credentials, which is appropriate for a generic publishing helper. However, the publish step (npx clawhub publish) will require network access and ClawHub authentication in practice; the skill does not document how credentials are obtained or handled. That omission is operationally important but does not necessarily indicate malicious intent.
Persistence & Privilege
always is false and the instructions explicitly require working in a separate temporary folder and never modifying original files. The skill does not ask to persist or change agent/system-level configuration. Autonomous invocation is allowed (platform default) but not by itself a concern here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install skill-publish
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /skill-publish 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release - Safe skill publishing with sanitization
元数据
Slug skill-publish
版本 1.0.0
许可证
累计安装 2
当前安装数 1
历史版本数 1
常见问题

Skill Publish 是什么?

Safely publish skills to ClawHub. Sanitize, format, verify, and publish without modifying your local files. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 954 次。

如何安装 Skill Publish?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-publish」即可一键安装,无需额外配置。

Skill Publish 是免费的吗?

是的,Skill Publish 完全免费(开源免费),可自由下载、安装和使用。

Skill Publish 支持哪些平台?

Skill Publish 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Skill Publish?

由 Iván(@ivangdavila)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论