ClawHub Skill Audit
Maintain the health of your published ClawHub skills: detect drift, find new candidates, review security flags.
When to use
- - Weekly (Monday 09:00 AEST — automated via launchd)
- Any time Nissan asks "do we need to update our ClawHub skills?"
- Before a major release that ships new skills
- When a skill shows unexpected behaviour that might have been fixed in a newer ClawHub version
Tools required
- -
clawhub CLI (npm global: ~/.npm-global/bin/clawhub) - INLINECODE2� — version comparison
- INLINECODE3� — local security compliance check
- INLINECODE4� — publish gate
Full playbook
See playbooks/clawhub-skill-lifecycle/PLAYBOOK.md for complete step-by-step.
Quick audit (3 commands)
1. Check drift (local vs published)
�CODEBLOCK0
2. Check for hidden / flagged skills
�CODEBLOCK1
Look for: hidden while security scan is pending or any flag/warning text.
3. Find new candidates (never published)
�CODEBLOCK2
Publishing a skill update
CODEBLOCK3
Fixing a security-flagged skill
- 1. Run local compliance check:
�CODEBLOCK4
- 2. Fix the flagged issues (typically: undeclared env vars, missing
network.outbound, suspicious patterns)
- 3. Bump patch version, add CHANGELOG entry, republish.
Ownership conflicts
If clawhub publish returns Error: Only the owner can publish updates:
- - The skill was installed from ClawHub and belongs to another account
- Do NOT try to re-publish under the same slug
- Options: fork as
reddi-<name>, or keep local-only - To fork: copy skill dir → rename to
reddi-<name> → update name: in SKILL.md → publish new slug
Known nissan-owned slugs (as of 2026-03-25)
CODEBLOCK5
Known community skills with local improvements
| Skill | Published owner | Recommended action |
|---|
| INLINECODE13 | biostartechnology | Fork as �INLINECODE14 |
| INLINECODE15 |
pskoett | Audit diff, then fork or local-only |
Gotchas
- -
clawhub explore returns empty — use clawhub inspect <slug> per skill - INLINECODE18� in skill dir = drift tracker. Missing = drift detector can't compare. After publish, clawhub writes this file.
- Security scan is usually quick (minutes) but can take hours. Hidden ≠ failed — wait and re-check.
- Rate limit: max 5 new skill publishes per hour. Batch in groups of 5, wait ~60s between groups.
- ClawHub ahead of local:
fastapi-studio-template, insight-engine, fact-checker, demo-precacher show higher published versions than local. Run clawhub update <slug> to pull those down and sync.
ClawHub 技能审计
维护已发布 ClawHub 技能的健康状态:检测漂移、发现新候选技能、审查安全标记。
使用时机
- - 每周(澳大利亚东部标准时间周一09:00 — 通过 launchd 自动执行)
- 当 Nissan 询问我们需要更新 ClawHub 技能吗?时
- 在发布包含新技能的重大版本之前
- 当技能出现异常行为,且该问题可能已在较新 ClawHub 版本中修复时
所需工具
- - clawhub CLI(npm 全局安装:~/.npm-global/bin/clawhub)
- scripts/skill-lifecycle/drift-detector.py — 版本对比
- scripts/clawhub_audit.py — 本地安全合规检查
- scripts/skill-lifecycle/publish-skill.sh — 发布门禁
完整手册
完整分步指南请参见 playbooks/clawhub-skill-lifecycle/PLAYBOOK.md。
快速审计(3条命令)
1. 检查漂移(本地 vs 已发布)
bash
/Users/loki/.pyenv/versions/3.14.3/bin/python3 \
~/.openclaw/workspace/scripts/skill-lifecycle/drift-detector.py
2. 检查隐藏/标记技能
bash
for skill in agent-hive llm-eval-router fastapi-studio-template observability-lgtm \
insight-engine fact-checker agent-budget-governance demo-precacher \
gateway-env-injector mistral-agents-orchestrator multi-agent-pipeline \
tweet-humanizer tweet-pipeline notion-content-pipeline security-auditor; do
result=$(clawhub inspect $skill 2>&1 | grep -E Owner:|Latest:|hidden|security|flag|pending)
echo $skill: $result
done
查找:hidden while security scan is pending 或任何标记/警告文本。
3. 查找新候选技能(从未发布)
bash
for d in ~/.openclaw/workspace/skills/*/; do
name=$(basename $d)
has_version=$(grep -m1 ^version: $d/SKILL.md 2>/dev/null | wc -c)
published=$(clawhub inspect $name 2>/dev/null | grep Owner: nissan)
if [ $has_version -gt 0 ] && [ -z $published ]; then
ver=$(grep -m1 ^version: $d/SKILL.md | awk {print $2} | tr -d \)
echo 候选技能: $name @ $ver
fi
done
发布技能更新
bash
1. 在 SKILL.md 前置元数据中更新版本号
2. 添加 CHANGELOG.md 条目
3. 运行发布门禁(检查版本 + 变更日志)
bash ~/.openclaw/workspace/scripts/skill-lifecycle/publish-skill.sh <技能名称>
4. 发布
clawhub publish ~/.openclaw/workspace/skills/<技能名称>
修复安全标记技能
- 1. 运行本地合规检查:
bash
/Users/loki/.pyenv/versions/3.14.3/bin/python3 \
~/.openclaw/workspace/scripts/clawhub_audit.py <技能名称>
- 2. 修复标记的问题(通常包括:未声明的环境变量、缺少 network.outbound、可疑模式)
- 3. 更新补丁版本号,添加 CHANGELOG 条目,重新发布。
所有权冲突
如果 clawhub publish 返回 Error: Only the owner can publish updates:
- - 该技能从 ClawHub 安装,属于其他账户
- 不要尝试以相同 slug 重新发布
- 选项:fork 为 reddi-<名称>,或仅保留本地使用
- 如需 fork:复制技能目录 → 重命名为 reddi-<名称> → 更新 SKILL.md 中的 name: → 发布新 slug
已知的 nissan 拥有 slug(截至 2026-03-25)
agent-hive, llm-eval-router, fastapi-studio-template, observability-lgtm,
insight-engine, fact-checker, agent-budget-governance, demo-precacher,
gateway-env-injector, mistral-agents-orchestrator, multi-agent-pipeline,
tweet-humanizer, tweet-pipeline, notion-content-pipeline
已知的带有本地改进的社区技能
| 技能 | 已发布所有者 | 建议操作 |
|---|
| humanizer | biostartechnology | Fork 为 reddi-humanizer |
| self-improving-agent |
pskoett | 审计差异,然后 fork 或仅本地使用 |
注意事项
- - clawhub explore 返回空结果 — 请逐个使用 clawhub inspect
- 技能目录中的 _meta.json = 漂移追踪器。缺失则漂移检测器无法对比。发布后,clawhub 会写入此文件。
- 安全扫描通常很快(几分钟),但可能需要数小时。隐藏 ≠ 失败 — 请等待后重新检查。
- 速率限制:每小时最多发布 5 个新技能。按 5 个一组分批操作,组间等待约 60 秒。
- ClawHub 版本领先本地:fastapi-studio-template、insight-engine、fact-checker、demo-precacher 的已发布版本高于本地。运行 clawhub update 拉取并同步。
