📦 Plugin — 插件
v1.0.0Publisher 为 Claude Code、Cowork 与 OpenClaw 端到端创建并发布插件。覆盖完整生命周期:设计插件,按正确 An... 脚手架初始化。
0· 19·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
high confidenceThe skill's scaffolding and OpenClaw conversion parts match its stated purpose, but it claims GitHub publishing and other network actions without declaring the required binaries or credentials — that mismatch is unexplained and worth caution.
评估建议
This skill largely does what it says (scaffold plugin directories, generate manifests, and produce an OpenClaw deployment script), but the red flag is its claim to 'create/connect to a GitHub repo and push' without declaring the required tools or credentials. Before installing or running anything: 1) Inspect the full SKILL.md to find exact git/remote commands it would execute. 2) Do not paste or expose any secrets or tokens to the agent; prefer to run git pushes yourself or use your local, alrea...详细分析 ▾
⚠ 用途与能力
The skill claims end-to-end plugin creation and publishing (including 'create or connect to a GitHub repo, push it, and package a .plugin file'). However the registry metadata declares no required binaries (git, gh) and no required environment variables (e.g., GITHUB_TOKEN or SSH key paths). That omission is inconsistent: pushing to GitHub or automated publishing normally requires credentials and/or CLI tools.
ℹ 指令范围
The SKILL.md primarily instructs the agent to scaffold plugin files, produce marketplace and plugin manifests, and generate an openclaw-install.sh installer — all consistent with the stated purpose. It also says it will 'create or connect to a GitHub repo, push it' but the provided instructions and template script do not declare how authentication or network pushes are handled. The skill may rely on interactive user-provided credentials or implicit environment state (SSH agent, `git` already logged in), but that behavior is not documented in the skill manifest, which grants the agent wide discretion in how to proceed.
ℹ 安装机制
This is instruction-only (no install spec), which is low-risk. The package includes a bash template script that writes into the user's home (~/.openclaw) and references the `openclaw` binary. The script also prints an install hint using curl to fetch openclaw's installer ('curl -fsSL https://openclaw.ai/install.sh | bash'), which is a network-based install pattern — expected for installing a third-party tool but worth reviewing before running.
⚠ 凭证需求
Although the SKILL.md and references discuss using ${ENV_VAR} placeholders for MCP server secrets and documenting required env vars in READMEs, the skill metadata itself declares no required environment variables. Given the claimed capabilities (GitHub pushes, possible .mcp.json secrets), it's disproportionate to request no credential-related inputs — the skill should explicitly declare what credentials it needs and how it will obtain them (interactive prompt, user-provided env vars, or local SSH/credential helpers).
✓ 持久化与权限
The skill does not set always:true and does not request elevated platform privileges. The included script writes files to the user's OpenClaw workspace (~/.openclaw) which is consistent with its purpose of deploying an agent, and does not appear to modify other skills' configurations. Autonomous invocation is enabled by default (normal) but not combined here with other high-risk flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/21
Initial release - End-to-end plugin creation and publishing for Claude Code, Cowork, and OpenClaw
● 可疑
安装命令
点击复制官方npx clawhub@latest install autosolutions-plugin-publisher
镜像加速npx clawhub@latest install autosolutions-plugin-publisher --registry https://cn.longxiaskill.com