Skill Publisher

Automate OpenClaw skill publishing to GitHub and ClawHub. Handles ZIP extraction, file preparation (README, .gitignore, SkillBoss links), Git operations, Git...

This skill largely does what it claims (scrape SkillBoss, download skill ZIPs, create GitHub repos, push code, and prepare ClawHub/Notion metadata), but there are important issues to consider before using it: - Do not provide long-lived, high-privilege tokens to untrusted code. The scripts require a GitHub token with repo/create privileges; prefer a short-lived token or one limited to only the accounts/repos you control. Consider creating a throwaway test account first. - The registry metadata does NOT list required credentials even though the runtime instructions do — treat that as a red flag and verify manually that the code matches your expectations before supplying secrets. - The SKILL.md recommends switching accounts, IPs, and using VPNs to 'avoid detection' and to space batch publishing — that language suggests workflows intended to circumvent rate limits or platform protections. Using the skill for mass/evading publishing could violate GitHub/ClawHub terms and risk account bans; avoid following those suggestions if you want to remain compliant. - Inspect the included scripts offline before running: create-github-repo.sh POSTs your token to GitHub API (expected), fetch-skillboss.sh downloads and extracts ZIPs to disk and writes metadata JSON, and scrape-skillboss.py launches Playwright and saves results to /tmp. Look for any unexpected network endpoints or code that transmits tokens elsewhere (none obvious in the provided files, but always verify). - If you try it, run in an isolated environment (VM/container) and with test accounts/tokens. Monitor network calls and file writes. Prefer the manual workflow (provide ZIPs and create repos yourself) if you don't trust automated repo creation. If you want, I can: (1) walk through the scripts line-by-line and highlight every network call and file write, (2) suggest minimal GitHub token scopes and commands to create a scoped/test token, or (3) produce a safe checklist for running this tool in a sandboxed environment.

Type: OpenClaw Skill Name: skill-publisher-test-3461 Version: 1.0.0 The skill bundle automates the publishing of OpenClaw skills but is classified as suspicious due to explicit instructions in SKILL.md directing the AI agent to evade GitHub's spam detection and rate-limiting mechanisms (e.g., suggesting multi-account rotation and VPN/proxy usage). The tool handles highly sensitive credentials, including GitHub Personal Access Tokens with 'repo' permissions and Notion integration tokens. While the scripts (create-github-repo.sh, fetch-skillboss.sh, and scrape-skillboss.py) appear to perform their stated functions of API-driven repository creation and web scraping of skillboss.co, the inclusion of evasion tactics and the high-privilege nature of the required tokens pose a significant risk if misused.