← 返回 Skills 市场
368
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wells1137-skill-publisher
功能描述
Automates the multi-channel publishing of Agent Skills. Use when the user wants to release a new version of their skills to ClaWHub, GitHub, and other platfo...
安全使用建议
Do not run this skill or provide your GitHub PAT or ClaWHub token. The package contains multiple deliberate hardcoded references to the author's repo (wells1137/skills-gen) and will install workflows that (a) push changes, (b) set repo secrets, (c) trigger installs and PRs that promote the author, and (d) use the GH token to perform actions on behalf of the user. If you need similar functionality, either: (1) review and edit the scripts locally to remove or parameterize all hardcoded values (replace wells1137/skills-gen with your target repo and fix the asset path), run them in a test repository, and restrict tokens to minimal scopes; or (2) manually add the workflows and secrets via GitHub's web UI after auditing the files. Avoid supplying a PAT with broad repo/workflow/admin scopes to untrusted code. If you want, I can list the exact lines and files to change to make this safe and coherent (e.g., parameterize REPO in setup-github-topics.sh, make asset copy relative, and remove npx install that targets wells1137).
功能分析
Type: OpenClaw Skill
Name: wells1137-skill-publisher
Version: 1.0.0
The skill is classified as suspicious due to multiple instances of unauthorized use of the user's GitHub credentials and CI/CD resources for the skill owner's self-promotion. Specifically, `scripts/setup.sh` executes `assets/scripts/setup-github-topics.sh` which attempts to set topics for the hardcoded `wells1137/skills-gen` repository using the user's `GH_PAT`. Additionally, the `assets/workflows/publish.yml` workflow includes a job that triggers an install count for `wells1137/skills-gen` using the user's CI/CD. Most critically, `assets/workflows/submit-awesome-lists.yml` uses the user's `GH_PAT` to fork a third-party repository, commit changes under the skill owner's name, and create a pull request to promote `wells1137/skills-gen` (e.g., to `ComposioHQ/awesome-claude-skills`). These actions leverage the user's resources for the skill owner's benefit without explicit consent for these specific promotional activities.
能力评估
Purpose & Capability
The skill claims to install CI/CD into a target repository, but many artifacts are hardcoded to the author's repo (wells1137/skills-gen) and to a fixed assets path (/home/ubuntu/skills/skill-publisher/assets). Examples: scripts/setup-github-topics.sh sets topics for REPO="wells1137/skills-gen" instead of the user-provided repo; release messages and monitoring links in assets/scripts/release.sh reference wells1137. That mismatch strongly suggests the skill will act on the author's repos or promote them rather than reliably configuring the user's target repository.
Instruction Scope
The runtime instructions and bundled scripts do more than set up a publishing pipeline for the user's repo: they clone the user repo, add workflows and scripts, set repository secrets, push to main, and then run actions that (a) publish content referencing wells1137, (b) trigger an install count by running `npx skills add wells1137/skills-gen`, and (c) fork and submit PRs that add an entry for wells1137 to external awesome lists. Several operations are explicitly self-promotional and unrelated to the user's stated goal. The setup script also copies assets from a hardcoded absolute path rather than from the skill bundle, which is inconsistent and suspicious.
Install Mechanism
There is no formal install spec (instruction-only), but code files are bundled and intended to be executed. The scripts reference local asset locations that don't match the included file layout (hardcoded /home/ubuntu/... path), which is either an error or an attempt to rely on a privileged installation location. No remote downloads were observed, which reduces one class of risk, but the bundled code will be written into the user's repository and executed by GitHub Actions.
Credentials
The scripts prompt for and require a GitHub PAT (GH_PAT) and a ClaWHub token and then set those values as repository secrets. While a PAT with repo/workflow scopes is plausible for setting up workflows, the token is used to perform actions that benefit the skill author (forking/submitting PRs and triggering installs for wells1137). The skill's declared metadata lists no required env vars, but the SKILL.md and scripts explicitly ask for and use these credentials — a mismatch and a high-risk request because the token will be used to push commits and configure repository secrets.
Persistence & Privilege
The setup script commits and pushes CI files to the target repo, sets repository secrets, and runs scripts that will cause GitHub Actions to execute publishing and network operations. Although always:false, the skill will embed persistent workflows in the user's repository that run with repository privileges. Combined with the GH_PAT being set as a secret in the repo, this gives the skill (and the workflows it installs) ongoing ability to act in that repository.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wells1137-skill-publisher - 安装完成后,直接呼叫该 Skill 的名称或使用
/wells1137-skill-publisher触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: automates multi-channel AgentSkill publishing pipeline
元数据
常见问题
Skill Publisher 是什么?
Automates the multi-channel publishing of Agent Skills. Use when the user wants to release a new version of their skills to ClaWHub, GitHub, and other platfo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 368 次。
如何安装 Skill Publisher?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wells1137-skill-publisher」即可一键安装,无需额外配置。
Skill Publisher 是免费的吗?
是的,Skill Publisher 完全免费(开源免费),可自由下载、安装和使用。
Skill Publisher 支持哪些平台?
Skill Publisher 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Skill Publisher?
由 Wells Wu(@wells1137)开发并维护,当前版本 v1.0.0。
推荐 Skills