Skill Publish Tool

自动更新 GitHub 仓库并发布 Skill 到 ClawHub。当用户需要发布 skill 更新时使用此技能。支持自动版本号递增、更新日志管理、Git 提交推送、ClawHub 发布。

This tool appears to implement the advertised publish workflow, but review and caution are advised before use: - Review the script before running. It uses shell=True and composes shell commands with user-supplied inputs (slug, changelog, commit message). Malicious or accidental special characters can change commands or inject arbitrary shell commands. If you don't trust inputs, do not run it. - Test in a throwaway repository first. Run with --skip-git and --skip-clawhub to verify file updates, then run with --skip-clawhub to validate Git behavior before publishing. - Sanitize inputs you pass (avoid quotes, backticks, semicolons, &&, |, etc.) or modify the script to use subprocess.run([...], shell=False) and properly escape/quote arguments. - Be cautious with the USAGE suggestions about force-push; force-pushing can irreversibly overwrite remote history. - Consider installing/pinning clawhub instead of using npx @latest (npx downloads code at runtime). If you must use npx, prefer pinning a known-safe version rather than @latest. - Ensure Git credentials and npm/ClawHub authentication are configured in a secure way (SSH keys or credential helpers), and avoid running the publish as root or in environments with broad access. If you want a higher-confidence assessment, provide any CI usage examples, the expected format of ClawHub authentication (token vs interactive login), or allow me to suggest a minimal patch to remove shell=True and safely pass arguments to external commands.

Type: OpenClaw Skill Name: skill-publish-tool Version: 1.0.4 The skill provides legitimate automation for publishing OpenClaw skills to GitHub and ClawHub, but it contains a critical shell injection vulnerability. The script `scripts/publish_skill.py` uses `subprocess.run(shell=True)` with unsanitized f-strings to execute commands, specifically incorporating the `--changelog` and `--slug` arguments directly into shell strings. While there is no evidence of intentional malice or data exfiltration, this implementation flaw allows for arbitrary command execution if malicious input is provided to the tool's parameters.