概述

ClawHub Publish Security Skill 🔒

Description

Mandatory security scanner for ClawHub skill publication. Automatically detects and prevents accidental exposure of sensitive information in skills before publication.

When to Use This Skill

ALWAYS run before clawhub publish:

Publishing your first skill
Updating existing skills
Any skill that contains configuration examples
Scripts that handle credentials or paths

Installation

# Install via ClawHub
clawhub install clawhub-publish-security

# The skill installs:
# - security-scan.py (automated scanner)
# - README.md (complete security guide)
# - SKILL.md (this file)

Usage

Quick Scan

# Scan a skill before publication
python skills/clawhub-publish-security/security-scan.py skills/your-skill

# Or from skill directory
cd skills/your-skill
python ../clawhub-publish-security/security-scan.py .

Pre-Publish Workflow

# 1. Create your skill
cd skills/my-awesome-skill

# 2. Run security scan
python ../clawhub-publish-security/security-scan.py .

# 3. Fix any issues found

# 4. Re-run scan until clean
python ../clawhub-publish-security/security-scan.py .

# 5. Publish only when scan passes
clawhub publish . --slug my-awesome-skill

What It Checks

❌ Blocked Patterns (Will Fail Scan)

Type	Pattern	Example (❌ BAD)	Fix (✅ GOOD)
------	---------	-----------------	---------------
Phone Numbers	`+420...`, `+1...`	`+420XXXXXXXXX`
Personal Paths	`Users\name\`	`C:\COMFYUI`	`C:\ComfyUI`
API Keys	`api_key=XXX`	`api_key=sk-XXX`	`os.environ.get("API_KEY")`
Tokens	`token=XXX`	`token=ghp_XXX`
Emails	`XXX@XXX.com`	`placeholder@placeholder.com`
Passwords	`password=XXX`	`password=XXX`
Secrets	`secret=XXX`	`secret=XXX`

✅ Allowed Patterns (Safe)

Type	Example	Status
------	---------	--------
Placeholders		✅ Safe
Env vars	`os.environ.get("API_KEY")`	✅ Safe
Generic paths	`C:\ComfyUI`, `~/.openclaw`	✅ Safe
Author name	`"author": "Name (user)"`	✅ Safe
Public URLs	`https://github.com/...`	✅ Safe

Output Examples

Clean Scan ✅

============================================================
[LOCK] ClawHub Publish Security Scanner
============================================================

[DIR] Scanning: C:\Users\vilda\.openclaw\workspace\skills\your-skill

[OK] Phone Numbers:     CLEAN (0 found)
[OK] Personal Paths:    CLEAN (0 found)
[OK] API Keys:          CLEAN (0 found)
[OK] Tokens:            CLEAN (0 found)
[OK] Emails:            CLEAN (0 found)
[OK] Passwords:         CLEAN (0 found)
[OK] Secrets:           CLEAN (0 found)

[PASS] ALL CHECKS PASSED - Ready for publication!

[OK] You can now safely run: clawhub publish

Failed Scan ❌

============================================================
[LOCK] ClawHub Publish Security Scanner
============================================================

[DIR] Scanning: C:\Users\vilda\.openclaw\workspace\skills\your-skill

[FAIL] Phone Numbers:     FOUND (1 issue)
   - config.json:15: "+420XXXXXXXXX"

[OK] Personal Paths:    CLEAN (0 found)
[OK] API Keys:          CLEAN (0 found)
...

============================================================
[FAIL] SECURITY ISSUES FOUND - Do NOT publish!
   Total issues: 1
============================================================

[INFO] How to fix:
   - Phone numbers: Replace with <YOUR_PHONE_NUMBER>

[FAIL] After fixing, re-run: python security-scan.py /path/to/skill
[OK] Only publish when ALL checks pass!

Files to Scan

Always Scan These:

File	Risk Level	Common Issues
------	------------	---------------
`.py`, `.js`	🔴 High	Hardcoded credentials
`config.json`	🔴 High	API keys, tokens
`.sh`, `.ps1`	🔴 High	Personal paths
`README.md`	🟡 Medium	Example values
`SKILL.md`	🟡 Medium	Config examples

Safe to Skip:

File	Reason
------	--------
`*.md` (docs only)	Low risk, but still scanned
`LICENSE`	No credentials
`.gitignore`	No credentials

Integration

OpenClaw Pre-Publish Hook

Add to your workflow:

# Before every publish
alias clawhub-publish="python skills/clawhub-publish-security/security-scan.py . && clawhub publish"

# Usage
clawhub-publish . --slug my-skill

CI/CD Pipeline

# GitHub Actions example
- name: Security Scan
  run: python skills/clawhub-publish-security/security-scan.py ./skills/my-skill

- name: Publish to ClawHub
  if: success()
  run: clawhub publish ./skills/my-skill

Best Practices

DO ✅

# Environment variables
api_key = os.environ.get("API_KEY")

# Generic paths
comfyui_path = r"C:\ComfyUI"

# Placeholders in docs
"target": "<YOUR_PHONE_NUMBER>"

# Author attribution
"author": "Name (username)"

DON'T ❌

# Hardcoded credentials
api_key = "sk-XXX"

# Personal paths
comfyui_path = r"C:\<name>\ComfyUI"

# Real values in examples
"target": "+420XXXXXXXXX"

Troubleshooting

False Positive: Email in Author Field

Problem: Scanner flags email in author attribution

Solution: This is intentional - emails should not be in published skills. Use:

"author": "Name (username)"

False Positive: Generic Path

Problem: C:\Program Files flagged

Solution: This is a system path, should be safe. If flagged, report as bug.

Scan Hangs

Problem: Scan takes too long

Solution: Check for large files or binary files. Add to .gitignore.

Related Skills

clawhub-smart-updater - Safe skill updates
openclaw-safe-audit - Security audit for OpenClaw
edgeone-clawscan - Tencent security scanner

License

MIT-0 - Free to use, modify, and redistribute without attribution.

Author

Klepeto 🦞 (vilda)

Created: 2026-05-07

Purpose: Prevent security incidents in published ClawHub skills

Changelog

1.0.0 (2026-05-07)

Initial release
Automated security scanning
Pattern detection for 7 sensitive data types
Pre-publish checklist
CI/CD integration support

版本历史

共 1 个版本

v1.0.1 当前

2026-05-08 13:22 安全安全

安全检测

腾讯云安全 (Keen)

安全，无风险

查看报告

腾讯云安全 (Sanbu)