← 返回 Skills 市场
Skill Publish To Market
作者
dingtom336-gif
· GitHub ↗
· v1.0.0
· MIT-0
84
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install skill-publish-to-market
功能描述
Publish any SKILL.md to 4 skill markets (ClawHub, Anthropic Skills, ECC Community, skills.sh) with one command. Collects tokens, validates quality, creates P...
安全使用建议
This skill appears to do what it claims (publish SKILL.md to ClawHub and several GitHub-based registries), but proceed with caution:
- Source trust: the package has no homepage and an unknown owner; verify the origin before providing credentials.
- High-privilege token: it asks for a GitHub PAT with 'repo' scope (very powerful). If possible, create a temporary, least-privilege PAT limited to what you need (or a throwaway account) and revoke it after use.
- Live API calls: the skill requires curl and forces real API requests (it has a 'self-test' requiring actual API responses). Expect network activity and PR creation on your GitHub account.
- Sensitive data handling: the SKILL.md instructs not to store tokens and to mask them in output, but that is an instruction — there is no enforcement. Do not paste tokens into chat logs you don't control.
- Test first: run a dry-run on a small test skill or sandbox account to observe behavior (or run in an isolated environment).
If you want to proceed: (1) provide the minimum-scoped tokens you can, (2) confirm the exact target repos and branches before the skill creates forks/PRs, and (3) monitor your GitHub security audit log and revoke the token after the operation if you used elevated scopes.
功能分析
Type: OpenClaw Skill
Name: skill-publish-to-market
Version: 1.0.0
The skill automates the publishing of code to multiple marketplaces and requires high-privilege credentials, specifically GitHub Personal Access Tokens (PAT) with 'repo' and 'workflow' scopes and ClawHub tokens. It executes shell-based network operations via curl to external endpoints (api.github.com, clawhub.ai) and performs file manipulations using sed and grep. While the behavior is aligned with the stated purpose and includes explicit instructions in SKILL.md to avoid logging tokens, the handling of sensitive credentials and the potential for shell injection via unvalidated metadata or file paths in templates.md represents a significant security risk.
能力评估
Purpose & Capability
The skill name/description (publish SKILL.md to multiple markets) aligns with the operations described in SKILL.md (Quality Gate, platform adaptation, PR creation, ClawHub API). However the registry metadata declared no required binaries/env but the runtime instructions explicitly require curl and other Unix utilities — metadata and runtime requirements are inconsistent.
Instruction Scope
SKILL.md contains explicit, detailed runtime steps that stay within the stated publish purpose (reading SKILL.md and reference files, validating frontmatter, calling GitHub and ClawHub APIs). Two notable instruction items expand the runtime surface: (1) a 'Self-test' rule that mandates including actual API response data in outputs (forces live network calls), and (2) batch discovery logic that may scan user directories (find) within the user-provided base path. Neither is obviously malicious but they increase the chance of live network activity and broader file system access if misused.
Install Mechanism
This is instruction-only with no install spec and no code files to execute — low install risk. The README suggests copying the folder into an agent skills directory, which is normal for agent skills. No remote downloads or extracted archives are present.
Credentials
The skill requires interactive collection of a GitHub Personal Access Token with 'repo' (full repository) and 'workflow' scopes and a ClawHub token. Those credentials are justified for creating forks/branches/files/PRs and for calling the ClawHub API, but the GitHub PAT with 'repo' scope is high privilege (it can access all repositories accessible to the token owner). The skill claims never to store tokens, but it will perform live API calls and build requests using those tokens — verify you trust the skill source before providing a powerful token. The registry metadata lists no required env vars even though the skill depends on tokens at runtime (interactive collection rather than env vars).
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request system-wide configuration changes or other skills' credentials. It suggests writing logs and optionally copying itself into an agent's skill directory, which is normal for skills and scoped to the skill itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install skill-publish-to-market - 安装完成后,直接呼叫该 Skill 的名称或使用
/skill-publish-to-market触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release with one-command publishing to four skill markets.
- Publish any SKILL.md to ClawHub, Anthropic Skills, ECC Community, and skills.sh via curl.
- Handles token collection and credential verification securely.
- Validates skill quality before publishing with a mandatory pre-check.
- Automatically adapts publishing workflow per platform, creates PRs, and resolves version conflicts.
- Supports version bumping and PR status checking.
元数据
常见问题
Skill Publish To Market 是什么?
Publish any SKILL.md to 4 skill markets (ClawHub, Anthropic Skills, ECC Community, skills.sh) with one command. Collects tokens, validates quality, creates P... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 84 次。
如何安装 Skill Publish To Market?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install skill-publish-to-market」即可一键安装,无需额外配置。
Skill Publish To Market 是免费的吗?
是的,Skill Publish To Market 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Skill Publish To Market 支持哪些平台?
Skill Publish To Market 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Publish To Market?
由 dingtom336-gif(@dingtom336-gif)开发并维护,当前版本 v1.0.0。
推荐 Skills