Clawhub Publisher — 技能工具
v1.0.0[自动翻译] Automate skill publishing to ClawHub with versioning, changelog generation, asset bundling, metadata validation, and one-command deployment.
0· 1,193·5 当前·6 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe SKILL.md describes a package that requires an API key and installs external packages, but the skill bundle contains no executable code and the declared metadata does not list the required credentials—this mismatch is concerning and needs clarification before use.
评估建议
This skill's documentation shows a publisher that requires installing an external npm/pip package and an API key (CLAWHUB_API_KEY), but the distributed bundle contains only documentation and package metadata (no index.js or CLI), and the registry metadata does not declare the API key requirement. Before installing or giving any secrets: 1) Verify the referenced package exists on npm/PyPI and inspect its source (or the GitHub repository) to confirm behavior and trustworthiness; 2) Confirm the CLA...详细分析 ▾
⚠ 用途与能力
The skill claims to be a 'ClawHub Publisher' (publishing, changelogs, bundling, analytics) and shows example usage that requires an external package (clawhub-publisher) and an environment variable (process.env.CLAWHUB_API_KEY). However, the skill bundle contains no runtime code or binaries, and the registry metadata lists no required environment variables or primary credential. That mismatch (described capability vs. actual footprint) is incoherent: either this skill is only documentation/instructions or it omits critical required credentials and code.
ℹ 指令范围
The SKILL.md stays within the publishing domain (reading a skillPath, generating changelog from git, interacting with ClawHub via an API key). It does instruct use of git metadata and local skill directories (skillPath), which is expected for a publisher. However, the instructions reference an environment variable (CLAWHUB_API_KEY) and remote operations (publishing, analytics, team management) that are not declared in the registry metadata—this is a scope/requirements mismatch that should be reconciled.
⚠ 安装机制
There is no install spec in the registry bundle; SKILL.md tells users/agents to run npm or pip installs (npm install clawhub-publisher). That means runtime behavior depends on fetching an external package from package registries. The package.json in the bundle references an index.js and a CLI, but those files are not included in this skill bundle. This forces installing and executing external code to get the described functionality—reasonable for a publisher tool but higher risk because the bundle doesn't include or verify that external code.
⚠ 凭证需求
The example usage and CI instructions require an API key (CLAWHUB_API_KEY) and possibly other secrets (CI secrets for GitHub Actions). Yet the registry metadata declares no required env vars or primary credential. Requesting an API key for publishing is reasonable, but not declaring it in metadata and not providing the implementation to show how it's used is a red flag. Ensure only a service-scoped publishing token is requested and that the skill does not ask for unrelated credentials.
✓ 持久化与权限
The skill does not request persistent always-on presence and default autonomy settings are unchanged. There is no evidence it modifies other skills or global agent config. No persistence/privilege escalation indicators in the provided files.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/11
Production-ready skill
● 无害
安装命令 点击复制
官方npx clawhub@latest install clawhub-publisher
镜像加速npx clawhub@latest install clawhub-publisher --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制