{ "schemaVersion": "1.0", "item": { "slug": "skill-releaser", "name": "Skill Releaser", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/chunhualiao/skill-releaser", "canonicalUrl": "https://clawhub.ai/chunhualiao/skill-releaser", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/skill-releaser", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=skill-releaser", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "SKILL.md", "STATUS.json", "scripts/README.md", "scripts/opsec-scan.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/skill-releaser" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/skill-releaser", "agentPageUrl": "https://openagent3.xyz/skills/skill-releaser/agent", "manifestUrl": "https://openagent3.xyz/skills/skill-releaser/agent.json", "briefUrl": "https://openagent3.xyz/skills/skill-releaser/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Skill Releaser", "body": "Orchestrates the full skill publication pipeline from internal repo to ClawhHub." }, { "title": "When to Use", "body": "User says \"release {skill}\" or \"publish {skill} to clawhub\"\nUser says \"prepare {skill} for release\" or \"check release readiness\"\nUser says \"review {skill} for publication\"\nCron-triggered release check during refactory pipeline" }, { "title": "Assumptions", "body": "How OpenClaw and user interact during release:\n\nAgent runs on a machine with shell access (exec tool) for git and CLI operations\nUser communicates via messaging channel (Telegram, Discord, Signal, etc.) — likely on a phone\nUser reviews the private GitHub repo directly in their browser/phone — the repo IS the review artifact, not a text summary\nUser approves or rejects by replying to the agent's message (natural language: \"approve\", \"revise: fix the readme\", \"reject\")\nAgent can create and manage GitHub repos via gh CLI on behalf of the user's authenticated account\nAgent pushes to the private staging repo BEFORE requesting user review, so there is something to review\nAgent does NOT publish anything publicly without explicit user approval — this is a hard gate\nThe repo starts private for staging and review. At release time, history is erased via orphan branch + force push (single clean commit), then flipped to public\nThe full release can span multiple sessions — the private staging repo preserves state so any agent can resume\nMultiple skills can be in different stages of the pipeline simultaneously" }, { "title": "Prerequisites", "body": "gh CLI authenticated (for repo creation and visibility changes)\nclawhub CLI installed (for ClawhHub publishing)\nA skill directory with at least a SKILL.md file" }, { "title": "Scope & Boundaries", "body": "This skill handles: The full release pipeline — structure scaffolding, OPSEC scanning, review, publishing.\nThis skill does NOT handle: Skill content creation or design. The SKILL.md must already describe what the skill does. Everything else (boilerplate, structure, scaffolding) is this pipeline's job.\n\nA user with a finished SKILL.md should be able to say \"release this skill\" and this skill handles everything from there — including generating all missing structure files." }, { "title": "Automation Model", "body": "The pipeline has two fully automated phases separated by one human gate. Both single and batch releases follow the same model." }, { "title": "Single Skill", "body": "Phase 1 (AUTO): Steps 1-7 — scaffold, validate, stage, scan, review, push\n ↓\n GATE: User reviews private repo, replies \"approve\" / \"revise\" / \"reject\"\n ↓\nPhase 2 (AUTO): Steps 9-12 — erase history, flip public, publish, verify scan, deliver" }, { "title": "Batch Release (multiple skills)", "body": "Phase 1 (PARALLEL): Spawn subagents — one per skill, all run Phase 1 simultaneously\n ↓\n GATE: ONE batch review message with all repo links\n User replies: \"approve all\" / \"approve A,C; revise B: fix readme\"\n ↓\nPhase 2 (PARALLEL): Spawn subagents for approved skills, all publish simultaneously\n ↓\n DELIVERY: ONE batch summary with all links and scan results\n\nBatch rules:\n\nNever serialize releases — spawn parallel subagents for Phase 1\nNever block on one approval to start the next Phase 1\nAssign each skill a short unique ID (A, B, C...) in the batch review message\nCollect all Phase 1 results, present ONE batch review message with short IDs\nAccept batch approvals: \"approve all\" / \"approve A,C\" / \"revise B: fix readme\"\nRun all Phase 2s in parallel after approval\n\nDesign principles:\n\nUser says \"release these skills\" once. Agent runs all Phase 1s in parallel without interruption.\nAgent sends ONE message: all review links + recommendations. Then waits.\nUser replies once. Agent runs all Phase 2s in parallel without interruption.\nAgent sends ONE delivery message with all results.\nIf any step fails, agent fixes it automatically and continues. Only report to user if unfixable.\nRate limits, retries, and delays are handled silently (sleep + retry, not \"rate limited, should I try again?\")\n\nAnti-patterns (never do these):\n\nDo not serialize releases — always parallelize with subagents\nDo not block on approval for skill A before starting Phase 1 for skill B\nDo not send per-skill review messages — batch them\nDo not ask \"should I create the repo?\" — just create it\nDo not report intermediate steps — only the batch review and batch delivery\nDo not ask about rate limits or transient errors — retry silently" }, { "title": "Step 1: Structure Scaffolding (Auto-Generate Boilerplate)", "body": "Before any quality checks, generate all missing structure files from the existing SKILL.md:\n\nAuto-generate if missing:\n\nFileSourceGeneration Methodskill.ymlSKILL.md frontmatter + triggersExtract name, description, version, triggers from SKILL.mdREADME.mdSKILL.md description + usageGitHub landing page for humans: what it does, how to install, future work. NOT agent instructions.CHANGELOG.mdVersion from skill.yml + git log## v{version} — {date} + summary of current statetests/test-triggers.jsonSKILL.md triggers + \"When to Use\"shouldTrigger from triggers list, shouldNotTrigger from anti-patternsscripts/Create directoryEmpty dir or placeholder README if no scripts neededreferences/Create directoryEmpty dir or placeholder README if no references neededLICENSEDefault MITStandard MIT license text.gitignoreStandardnode_modules/, .DS_Store, *.log\n\nRules:\n\nNever overwrite existing files — only generate what's missing\nAll generated content derives from SKILL.md — no hallucinated features\nIf SKILL.md lacks enough info to generate a file, flag it as a content gap (user must fix SKILL.md first)\nGenerated README.md must make sense to a stranger who has never seen the skill before\n\nValidation after scaffolding:\n\nRun scripts/validate-structure.sh — must score 8/8\nIf not 8/8, identify what's still missing and fix it" }, { "title": "Step 1.5: Version Bump (updates only)", "body": "If this skill has been published before, bump the version before proceeding:\n\nCheck current published version:\n\nclawhub inspect {slug}\n\nBump version in both skill.yml and SKILL.md frontmatter:\n\nPatch (1.0.0 → 1.0.1): bug fixes, typos, minor doc updates\nMinor (1.0.0 → 1.1.0): new features, new sections, structural changes\nMajor (1.0.0 → 2.0.0): breaking changes, full rewrites\n\n\n\nUpdate CHANGELOG.md with new version entry describing what changed\n\n\nVerify display_name is set in skill.yml — this is the human-readable title shown on ClawhHub.\nIt must be set explicitly; never derive it from the slug or guess it.\nIf missing, add it now:\ndisplay_name: \"Human Readable Title\" # Required — used as ClawhHub listing title\n\nRules:\n\nTitle case, plain English, no jargon\nDescribes what the skill does, not how it's implemented\nExample: slug autonomous-task-runner → display_name: \"Autonomous Task Runner\"\nExample: slug skill-releaser → display_name: \"Skill Releaser\"\n\nSkip this step for first-time releases (but still verify display_name exists)." }, { "title": "Step 2: Readiness Check", "body": "Verify the skill directory is complete:\n\nSKILL.md exists with description and usage instructions\nskill.yml exists with name, description, triggers\nStructure score 8/8 (from Step 1)\nNo obvious OPSEC violations (quick scan)\n\nIf any check fails, report what needs fixing. Do not proceed." }, { "title": "Step 3: Create Private Staging Repo", "body": "# Check if repo already exists\ngh repo view your-org/openclaw-skill-{name} 2>/dev/null\n\n# If not, create it — CRITICAL: use the SANITIZED description, not the source skill.yml\n# Run OPSEC scan on the description string BEFORE passing to gh repo create\ngh repo create your-org/openclaw-skill-{name} --private --description \"{sanitized description}\"\n\nOPSEC on repo metadata: The description passed to gh repo create is public when the repo flips to public. It must be scanned for the same patterns as file contents (org names, personal info, internal project names). This is not covered by file-based scanners — it must be checked explicitly." }, { "title": "Step 4: Prepare Release Content", "body": "Copy ONLY the skill directory content to a clean staging area:\n\nmkdir -p /tmp/skill-release-{name}\ncp -r skills/{name}/* /tmp/skill-release-{name}/\n\n# Remove internal-only files\nrm -f /tmp/skill-release-{name}/WORKSPACE.md\nrm -f /tmp/skill-release-{name}/.gitignore\nrm -rf /tmp/skill-release-{name}/_meta.json\nrm -rf /tmp/skill-release-{name}/.clawhub\n\nCRITICAL VALIDATION — verify before proceeding:\n\n# The release directory must contain ONLY skill files.\n# If you see ANY of these, you copied from the wrong directory — STOP and fix:\n# - USER.md, MEMORY.md, AGENTS.md, SOUL.md (workspace/repo root files)\n# - audits/, shared/, scripts/ (repo directories)\n# - memory/, slides/, projects/ (personal data)\n# - .gitmodules (repo root)\nls /tmp/skill-release-{name}/\n# Expected: SKILL.md, skill.yml, README.md, CHANGELOG.md, LICENSE, tests/, references/, scripts/\n# If file count exceeds ~15 files, something is wrong. Verify source path.\n\nAdd release files if missing:\n\nLICENSE (MIT by default)\nREADME.md (must work as GitHub landing page for strangers)\n.gitignore" }, { "title": "Step 5: Release Content Validation (HARD GATE)", "body": "bash scripts/validate-release-content.sh /tmp/skill-release-{name}\n\nThis is a deterministic script that blocks pushes if the release directory contains repo-level files (USER.md, MEMORY.md, audits/, etc.), has too many files (>50), or contains suspicious file types (logs, images, PDFs).\n\nMust return SAFE (exit 0). If BLOCKED, you copied from the wrong directory. Do NOT proceed. Fix the source path and re-copy." }, { "title": "Step 6: OPSEC Deep Scan", "body": "bash scripts/opsec-scan.sh /tmp/skill-release-{name}\n\nMust return CLEAN (exit 0). If violations found, fix them in the release copy. Do NOT modify the source in openclaw-knowledge — keep the internal version as-is." }, { "title": "Step 7: Agent Review", "body": "Generate review document:\n\n# Release Review: {skill-name}\n\n## Checklist\n- [ ] SKILL.md clear and useful to a stranger\n- [ ] README.md works as GitHub landing page\n- [ ] skill.yml triggers accurate and complete\n- [ ] Scripts work without hardcoded dependencies\n- [ ] Tests present and described\n- [ ] CHANGELOG.md current\n- [ ] LICENSE present\n- [ ] No references to internal repos, infrastructure, or personal info\n- [ ] OPSEC scan: CLEAN\n- [ ] Competitive position: {novel|ahead}\n\n## OPSEC Scan Output\n{paste scan output}\n\n## Competitive Summary\n{from audits/{name}-competitive.md}\n\n## Recommendation\nAPPROVE / REVISE: {reasons}\n\nSave to openclaw-knowledge/reviews/{name}-release-review.md" }, { "title": "Step 8: Push to Private Staging Repo", "body": "Push sanitized content so user can review the actual repo on any device (phone, laptop):\n\ncd /tmp/skill-release-{name}\ngit init\ngit config user.email \"agent@localhost\"\ngit config user.name \"SkillEngineer\"\n\n# Install OPSEC pre-commit hook — prevents sensitive data from entering git history\ncp /tmp/openclaw-knowledge/scripts/opsec-precommit-hook.sh .git/hooks/pre-commit\nchmod +x .git/hooks/pre-commit\n\ngit add .\ngit commit -m \"v{version}: Initial release of {name}\"\ngit remote add origin https://github.com/your-org/openclaw-skill-{name}.git\ngit branch -M main\ngit push -u origin main" }, { "title": "Step 9: User Review", "body": "For single skills, send review link. For batch releases, collect all Phase 1 results and send ONE message.\n\nSingle skill:\n\nRELEASE REVIEW: {skill-name}\n\n{score} | OPSEC: CLEAN\n{1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nReply: approve / revise:{feedback} / reject\n\nBatch review (assign short IDs for easy approval):\n\nBATCH RELEASE REVIEW — {N} skills\n\nA. {skill-name} — {score} | CLEAN | {1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nB. {skill-name} — {score} | CLEAN | {1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nC. {skill-name} — {score} | CLEAN | {1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nReply: approve all / approve A,C / revise B:{feedback}\n\nRules:\n\nLinks on their own line (never in tables — not clickable on mobile)\nShort IDs (A, B, C) for batch approval — user should never type full skill names\nThe repo IS the review artifact. User reviews actual files, not a summary.\nWait for user response. Do not proceed without explicit approval." }, { "title": "Step 10: Erase History & Flip to Public (after user approval)", "body": "Erase git history (may contain OPSEC fixes from earlier revisions) and make the repo public:\n\ncd /tmp/skill-release-{name}\n# Orphan branch erases all history\ngit checkout --orphan clean\ngit add -A\ngit commit -m \"v{version}: {name}\"\ngit branch -D main\ngit branch -m main\ngit push -f origin main\n\n# Flip visibility\ngh repo edit your-org/openclaw-skill-{name} --visibility public\n\n# Verify repo metadata is OPSEC-clean (description, topics are now public)\ngh repo view your-org/openclaw-skill-{name} --json description,repositoryTopics -q '.description + \" \" + (.repositoryTopics | join(\" \"))'\n# Manually check output for org names, personal info, internal project names\n# If dirty: gh repo edit your-org/openclaw-skill-{name} --description \"{clean description}\"\n\nSingle commit, clean history, one repo. No dual-repo complexity." }, { "title": "Step 11: Prepare Publish Package and Request Approval", "body": "ClawhHub publish is an irreversible external action. It requires explicit user approval via a D-## ID before execution.\n\nExtract the publish parameters and log an approval request — do NOT run clawhub publish yet:\n\n# Extract publish parameters directly from skill.yml\nSLUG=$(grep '^name:' /tmp/skill-release-{name}/skill.yml | awk '{print $2}')\nDISPLAY_NAME=$(grep '^display_name:' /tmp/skill-release-{name}/skill.yml | sed 's/display_name: *//' | tr -d '\"')\nVERSION=$(grep '^version:' /tmp/skill-release-{name}/skill.yml | awk '{print $2}')\n\necho \"slug: $SLUG\"\necho \"display_name: $DISPLAY_NAME\"\necho \"version: $VERSION\"\n\nif [ -z \"$SLUG\" ] || [ -z \"$DISPLAY_NAME\" ] || [ -z \"$VERSION\" ]; then\n echo \"ERROR: Missing slug, display_name, or version in skill.yml — fix before proceeding\"\n exit 1\nfi\n\nIf display_name is missing from skill.yml, add it now (see Step 1.5).\n\nThen add a pending publish entry to ESCALATIONS.md:\n\nD-##: Publish {display_name} v{version} (slug: {slug}) to ClawhHub? — yes/no\n\nStop here. Wait for My Lord to reply \"D-## yes\" before proceeding to Step 11.5.\n\nOnly proceed to Step 11.5 if My Lord has explicitly approved this specific publish in the current session." }, { "title": "Step 11.5: Execute Publish + Verify (APPROVAL REQUIRED)", "body": "Only run this step after receiving explicit \"D-## yes\" from My Lord.\n\nclawhub publish /tmp/skill-release-{name} \\\n --slug \"$SLUG\" \\\n --name \"$DISPLAY_NAME\" \\\n --version \"$VERSION\" \\\n --changelog \"{summary of changes from CHANGELOG.md}\"\n\nPost-publish verification — verify the live listing matches skill.yml exactly:\n\nAfter publishing, verify the live listing matches the source skill.yml exactly.\nThis step catches wrong titles, version mismatches, and stale metadata before delivery.\n\nclawhub inspect \"$SLUG\" 2>&1\n\nCompare the output against skill.yml:\n\nFieldExpected (from skill.yml)Actual (from clawhub inspect)Match?Display namedisplay_name valueFirst line of inspect output✅ / ❌Versionversion valueLatest: field✅ / ❌DescriptionFirst sentence of descriptionSummary: field (truncated)✅ / ❌Owneryour ClawhHub usernameOwner: field✅ / ❌\n\nIf any field does not match:\n\nDo NOT proceed to Step 12\nIdentify the mismatch (wrong --name, wrong --slug, stale skill.yml)\nFix the source (skill.yml or publish command), bump patch version, republish\nRe-run Step 11.5 until all fields match\nOnly proceed to Step 12 when the table shows ✅ on all rows\n\nCommon mismatches and fixes:\n\nMismatchCauseFixWrong display namedisplay_name missing from skill.yml; name was guessedAdd display_name to skill.yml, republishWrong versionskill.yml not updated before publishBump version in skill.yml, republishWrong slugname field in skill.yml doesn't match intended slugFix name in skill.yml or use correct --slugWrong ownerPublished under wrong accountCheck clawhub whoami, re-authenticate if needed" }, { "title": "Step 12: Verify Security Scan (Browser Required)", "body": "ClawhHub automatically scans all published skills via VirusTotal (Code Insight) and OpenClaw's own scanner. Do not consider the release complete until scans are reviewed.\n\nUse the browser tool to check scan results — ClawhHub pages require JS rendering:\n\nOpen the skill detail page with browser:\n\nbrowser start (profile=openclaw)\nbrowser navigate → https://clawhub.ai/{username}/{slug}\nbrowser snapshot (refs=aria)\n\nFind the \"Security Scan\" section in the snapshot. It shows:\n\nVirusTotal verdict: Benign / Suspicious / Malicious / Pending\nOpenClaw verdict: Benign / Suspicious / Malicious with confidence level\nDetail text: Explanation of what was flagged (expand \"Details\" if collapsed)\nVirusTotal report link: Direct URL to full analysis\n\n\n\nInterpret results and act:\n\nVerdictMeaningActionBenign (both)Clean, auto-approvedProceed to Step 13PendingStill processingWait 2 minutes, re-snapshotSuspicious (undeclared permissions)Skill needs privileged access not in metadataAdd permissions to skill.yml, bump version, re-publishSuspicious (other)Flagged behaviorReview detail text. If false positive, contact OpenClaw security team. If real, fix and re-publishMaliciousBlocked from downloadFix immediately, bump version, re-run from Step 1.5\n\nCommon fix — undeclared permissions:\nIf flagged for privileged CLI access (gh, clawhub, git, filesystem), add a permissions field to skill.yml:\npermissions:\n - exec: git, gh CLI (repo creation, visibility changes)\n - exec: clawhub CLI (publishing)\n - filesystem: read/write skill directories\n - browser: verify scan results on ClawhHub\n\nThen bump version and re-publish. This declares intent and resolves the flag.\n\n\nIf VirusTotal is still Pending after 5 minutes, proceed to Step 12 but note it in the delivery. The scan completes asynchronously." }, { "title": "Step 13: Deliver", "body": "Confirm the release is live and deliver all links and scan status to the user:\n\nRELEASED: {skill-name} v{version}\n\nGitHub: https://github.com/your-org/openclaw-skill-{name}\nClawhHub: https://clawhub.ai/{username}/{slug}\nVirusTotal: {verdict} — {report link}\nOpenClaw Scan: {verdict} ({confidence})\n\n{1-line description}" }, { "title": "Pipeline Ends Here", "body": "Skill-releaser scope ends at Step 13 (delivery). Post-release bookkeeping (STATUS.json updates, submodule conversion, memory logging) is a refactory system responsibility, not a release pipeline responsibility. See REFACTORY-SYSTEM.md \"Post-Release Stage.\"" }, { "title": "Error Handling", "body": "ErrorCauseFixReadiness check failsScore too low or OPSEC dirtyComplete refactoring firstOPSEC scan finds violations in release copySanitization incompleteFix in release copy, re-scangh repo create failsAuth issue or name takenCheck gh auth status, try different nameclawhub publish failsCLI not installed or authRun npm install -g clawhub, authenticateUser rejectsFeedback providedAddress feedback, restart from Step 4" }, { "title": "Configuration", "body": "No persistent configuration required. The pipeline uses environment-level tools\n(gh, clawhub, git) that must be authenticated before use.\n\nRequired tools:\n\nToolPurposeCheckgh CLIGitHub repo creation, visibility changesgh auth statusclawhub CLIPublish to ClawhHub registryclawhub whoamigitVersion controlBuilt-inpython3OPSEC scanner (optional)python3 --version\n\nPipeline scripts (in scripts/):\n\nScriptPurposevalidate-structure.shScore skill structure completeness (8 checks)validate-release-content.shBlock placeholder text, empty filesopsec-scan.shScan for sensitive data before public release\n\nOrg/username: Update your-org in the pipeline steps to your GitHub\nusername or org. The clawhub --slug argument uses the skill's name field\nfrom skill.yml." }, { "title": "Examples", "body": "Release a specific skill:\n\"Release skill-engineer to clawhub\"\n\nCheck readiness without releasing:\n\"Is evidence-based-investigation ready for release?\"\n\nBatch readiness check:\n\"Which skills are ready to publish?\"" } ], "body": "Skill Releaser\n\nOrchestrates the full skill publication pipeline from internal repo to ClawhHub.\n\nWhen to Use\nUser says \"release {skill}\" or \"publish {skill} to clawhub\"\nUser says \"prepare {skill} for release\" or \"check release readiness\"\nUser says \"review {skill} for publication\"\nCron-triggered release check during refactory pipeline\nAssumptions\n\nHow OpenClaw and user interact during release:\n\nAgent runs on a machine with shell access (exec tool) for git and CLI operations\nUser communicates via messaging channel (Telegram, Discord, Signal, etc.) — likely on a phone\nUser reviews the private GitHub repo directly in their browser/phone — the repo IS the review artifact, not a text summary\nUser approves or rejects by replying to the agent's message (natural language: \"approve\", \"revise: fix the readme\", \"reject\")\nAgent can create and manage GitHub repos via gh CLI on behalf of the user's authenticated account\nAgent pushes to the private staging repo BEFORE requesting user review, so there is something to review\nAgent does NOT publish anything publicly without explicit user approval — this is a hard gate\nThe repo starts private for staging and review. At release time, history is erased via orphan branch + force push (single clean commit), then flipped to public\nThe full release can span multiple sessions — the private staging repo preserves state so any agent can resume\nMultiple skills can be in different stages of the pipeline simultaneously\nPrerequisites\ngh CLI authenticated (for repo creation and visibility changes)\nclawhub CLI installed (for ClawhHub publishing)\nA skill directory with at least a SKILL.md file\nScope & Boundaries\n\nThis skill handles: The full release pipeline — structure scaffolding, OPSEC scanning, review, publishing. This skill does NOT handle: Skill content creation or design. The SKILL.md must already describe what the skill does. Everything else (boilerplate, structure, scaffolding) is this pipeline's job.\n\nA user with a finished SKILL.md should be able to say \"release this skill\" and this skill handles everything from there — including generating all missing structure files.\n\nAutomation Model\n\nThe pipeline has two fully automated phases separated by one human gate. Both single and batch releases follow the same model.\n\nSingle Skill\nPhase 1 (AUTO): Steps 1-7 — scaffold, validate, stage, scan, review, push\n ↓\n GATE: User reviews private repo, replies \"approve\" / \"revise\" / \"reject\"\n ↓\nPhase 2 (AUTO): Steps 9-12 — erase history, flip public, publish, verify scan, deliver\n\nBatch Release (multiple skills)\nPhase 1 (PARALLEL): Spawn subagents — one per skill, all run Phase 1 simultaneously\n ↓\n GATE: ONE batch review message with all repo links\n User replies: \"approve all\" / \"approve A,C; revise B: fix readme\"\n ↓\nPhase 2 (PARALLEL): Spawn subagents for approved skills, all publish simultaneously\n ↓\n DELIVERY: ONE batch summary with all links and scan results\n\n\nBatch rules:\n\nNever serialize releases — spawn parallel subagents for Phase 1\nNever block on one approval to start the next Phase 1\nAssign each skill a short unique ID (A, B, C...) in the batch review message\nCollect all Phase 1 results, present ONE batch review message with short IDs\nAccept batch approvals: \"approve all\" / \"approve A,C\" / \"revise B: fix readme\"\nRun all Phase 2s in parallel after approval\n\nDesign principles:\n\nUser says \"release these skills\" once. Agent runs all Phase 1s in parallel without interruption.\nAgent sends ONE message: all review links + recommendations. Then waits.\nUser replies once. Agent runs all Phase 2s in parallel without interruption.\nAgent sends ONE delivery message with all results.\nIf any step fails, agent fixes it automatically and continues. Only report to user if unfixable.\nRate limits, retries, and delays are handled silently (sleep + retry, not \"rate limited, should I try again?\")\n\nAnti-patterns (never do these):\n\nDo not serialize releases — always parallelize with subagents\nDo not block on approval for skill A before starting Phase 1 for skill B\nDo not send per-skill review messages — batch them\nDo not ask \"should I create the repo?\" — just create it\nDo not report intermediate steps — only the batch review and batch delivery\nDo not ask about rate limits or transient errors — retry silently\nProcess\nStep 1: Structure Scaffolding (Auto-Generate Boilerplate)\n\nBefore any quality checks, generate all missing structure files from the existing SKILL.md:\n\nAuto-generate if missing:\n\nFile\tSource\tGeneration Method\nskill.yml\tSKILL.md frontmatter + triggers\tExtract name, description, version, triggers from SKILL.md\nREADME.md\tSKILL.md description + usage\tGitHub landing page for humans: what it does, how to install, future work. NOT agent instructions.\nCHANGELOG.md\tVersion from skill.yml + git log\t## v{version} — {date} + summary of current state\ntests/test-triggers.json\tSKILL.md triggers + \"When to Use\"\tshouldTrigger from triggers list, shouldNotTrigger from anti-patterns\nscripts/\tCreate directory\tEmpty dir or placeholder README if no scripts needed\nreferences/\tCreate directory\tEmpty dir or placeholder README if no references needed\nLICENSE\tDefault MIT\tStandard MIT license text\n.gitignore\tStandard\tnode_modules/, .DS_Store, *.log\n\nRules:\n\nNever overwrite existing files — only generate what's missing\nAll generated content derives from SKILL.md — no hallucinated features\nIf SKILL.md lacks enough info to generate a file, flag it as a content gap (user must fix SKILL.md first)\nGenerated README.md must make sense to a stranger who has never seen the skill before\n\nValidation after scaffolding:\n\nRun scripts/validate-structure.sh — must score 8/8\nIf not 8/8, identify what's still missing and fix it\nStep 1.5: Version Bump (updates only)\n\nIf this skill has been published before, bump the version before proceeding:\n\nCheck current published version:\nclawhub inspect {slug}\n\n\nBump version in both skill.yml and SKILL.md frontmatter:\n\nPatch (1.0.0 → 1.0.1): bug fixes, typos, minor doc updates\nMinor (1.0.0 → 1.1.0): new features, new sections, structural changes\nMajor (1.0.0 → 2.0.0): breaking changes, full rewrites\n\nUpdate CHANGELOG.md with new version entry describing what changed\n\nVerify display_name is set in skill.yml — this is the human-readable title shown on ClawhHub. It must be set explicitly; never derive it from the slug or guess it. If missing, add it now:\n\ndisplay_name: \"Human Readable Title\" # Required — used as ClawhHub listing title\n\n\nRules:\n\nTitle case, plain English, no jargon\nDescribes what the skill does, not how it's implemented\nExample: slug autonomous-task-runner → display_name: \"Autonomous Task Runner\"\nExample: slug skill-releaser → display_name: \"Skill Releaser\"\n\nSkip this step for first-time releases (but still verify display_name exists).\n\nStep 2: Readiness Check\n\nVerify the skill directory is complete:\n\nSKILL.md exists with description and usage instructions\nskill.yml exists with name, description, triggers\nStructure score 8/8 (from Step 1)\nNo obvious OPSEC violations (quick scan)\n\nIf any check fails, report what needs fixing. Do not proceed.\n\nStep 3: Create Private Staging Repo\n# Check if repo already exists\ngh repo view your-org/openclaw-skill-{name} 2>/dev/null\n\n# If not, create it — CRITICAL: use the SANITIZED description, not the source skill.yml\n# Run OPSEC scan on the description string BEFORE passing to gh repo create\ngh repo create your-org/openclaw-skill-{name} --private --description \"{sanitized description}\"\n\n\nOPSEC on repo metadata: The description passed to gh repo create is public when the repo flips to public. It must be scanned for the same patterns as file contents (org names, personal info, internal project names). This is not covered by file-based scanners — it must be checked explicitly.\n\nStep 4: Prepare Release Content\n\nCopy ONLY the skill directory content to a clean staging area:\n\nmkdir -p /tmp/skill-release-{name}\ncp -r skills/{name}/* /tmp/skill-release-{name}/\n\n# Remove internal-only files\nrm -f /tmp/skill-release-{name}/WORKSPACE.md\nrm -f /tmp/skill-release-{name}/.gitignore\nrm -rf /tmp/skill-release-{name}/_meta.json\nrm -rf /tmp/skill-release-{name}/.clawhub\n\n\nCRITICAL VALIDATION — verify before proceeding:\n\n# The release directory must contain ONLY skill files.\n# If you see ANY of these, you copied from the wrong directory — STOP and fix:\n# - USER.md, MEMORY.md, AGENTS.md, SOUL.md (workspace/repo root files)\n# - audits/, shared/, scripts/ (repo directories)\n# - memory/, slides/, projects/ (personal data)\n# - .gitmodules (repo root)\nls /tmp/skill-release-{name}/\n# Expected: SKILL.md, skill.yml, README.md, CHANGELOG.md, LICENSE, tests/, references/, scripts/\n# If file count exceeds ~15 files, something is wrong. Verify source path.\n\n\nAdd release files if missing:\n\nLICENSE (MIT by default)\nREADME.md (must work as GitHub landing page for strangers)\n.gitignore\nStep 5: Release Content Validation (HARD GATE)\nbash scripts/validate-release-content.sh /tmp/skill-release-{name}\n\n\nThis is a deterministic script that blocks pushes if the release directory contains repo-level files (USER.md, MEMORY.md, audits/, etc.), has too many files (>50), or contains suspicious file types (logs, images, PDFs).\n\nMust return SAFE (exit 0). If BLOCKED, you copied from the wrong directory. Do NOT proceed. Fix the source path and re-copy.\n\nStep 6: OPSEC Deep Scan\nbash scripts/opsec-scan.sh /tmp/skill-release-{name}\n\n\nMust return CLEAN (exit 0). If violations found, fix them in the release copy. Do NOT modify the source in openclaw-knowledge — keep the internal version as-is.\n\nStep 7: Agent Review\n\nGenerate review document:\n\n# Release Review: {skill-name}\n\n## Checklist\n- [ ] SKILL.md clear and useful to a stranger\n- [ ] README.md works as GitHub landing page\n- [ ] skill.yml triggers accurate and complete\n- [ ] Scripts work without hardcoded dependencies\n- [ ] Tests present and described\n- [ ] CHANGELOG.md current\n- [ ] LICENSE present\n- [ ] No references to internal repos, infrastructure, or personal info\n- [ ] OPSEC scan: CLEAN\n- [ ] Competitive position: {novel|ahead}\n\n## OPSEC Scan Output\n{paste scan output}\n\n## Competitive Summary\n{from audits/{name}-competitive.md}\n\n## Recommendation\nAPPROVE / REVISE: {reasons}\n\n\nSave to openclaw-knowledge/reviews/{name}-release-review.md\n\nStep 8: Push to Private Staging Repo\n\nPush sanitized content so user can review the actual repo on any device (phone, laptop):\n\ncd /tmp/skill-release-{name}\ngit init\ngit config user.email \"agent@localhost\"\ngit config user.name \"SkillEngineer\"\n\n# Install OPSEC pre-commit hook — prevents sensitive data from entering git history\ncp /tmp/openclaw-knowledge/scripts/opsec-precommit-hook.sh .git/hooks/pre-commit\nchmod +x .git/hooks/pre-commit\n\ngit add .\ngit commit -m \"v{version}: Initial release of {name}\"\ngit remote add origin https://github.com/your-org/openclaw-skill-{name}.git\ngit branch -M main\ngit push -u origin main\n\nStep 9: User Review\n\nFor single skills, send review link. For batch releases, collect all Phase 1 results and send ONE message.\n\nSingle skill:\n\nRELEASE REVIEW: {skill-name}\n\n{score} | OPSEC: CLEAN\n{1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nReply: approve / revise:{feedback} / reject\n\n\nBatch review (assign short IDs for easy approval):\n\nBATCH RELEASE REVIEW — {N} skills\n\nA. {skill-name} — {score} | CLEAN | {1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nB. {skill-name} — {score} | CLEAN | {1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nC. {skill-name} — {score} | CLEAN | {1-line description}\nhttps://github.com/your-org/openclaw-skill-{name}\n\nReply: approve all / approve A,C / revise B:{feedback}\n\n\nRules:\n\nLinks on their own line (never in tables — not clickable on mobile)\nShort IDs (A, B, C) for batch approval — user should never type full skill names\nThe repo IS the review artifact. User reviews actual files, not a summary.\nWait for user response. Do not proceed without explicit approval.\nStep 10: Erase History & Flip to Public (after user approval)\n\nErase git history (may contain OPSEC fixes from earlier revisions) and make the repo public:\n\ncd /tmp/skill-release-{name}\n# Orphan branch erases all history\ngit checkout --orphan clean\ngit add -A\ngit commit -m \"v{version}: {name}\"\ngit branch -D main\ngit branch -m main\ngit push -f origin main\n\n# Flip visibility\ngh repo edit your-org/openclaw-skill-{name} --visibility public\n\n# Verify repo metadata is OPSEC-clean (description, topics are now public)\ngh repo view your-org/openclaw-skill-{name} --json description,repositoryTopics -q '.description + \" \" + (.repositoryTopics | join(\" \"))'\n# Manually check output for org names, personal info, internal project names\n# If dirty: gh repo edit your-org/openclaw-skill-{name} --description \"{clean description}\"\n\n\nSingle commit, clean history, one repo. No dual-repo complexity.\n\nStep 11: Prepare Publish Package and Request Approval\n\nClawhHub publish is an irreversible external action. It requires explicit user approval via a D-## ID before execution.\n\nExtract the publish parameters and log an approval request — do NOT run clawhub publish yet:\n\n# Extract publish parameters directly from skill.yml\nSLUG=$(grep '^name:' /tmp/skill-release-{name}/skill.yml | awk '{print $2}')\nDISPLAY_NAME=$(grep '^display_name:' /tmp/skill-release-{name}/skill.yml | sed 's/display_name: *//' | tr -d '\"')\nVERSION=$(grep '^version:' /tmp/skill-release-{name}/skill.yml | awk '{print $2}')\n\necho \"slug: $SLUG\"\necho \"display_name: $DISPLAY_NAME\"\necho \"version: $VERSION\"\n\nif [ -z \"$SLUG\" ] || [ -z \"$DISPLAY_NAME\" ] || [ -z \"$VERSION\" ]; then\n echo \"ERROR: Missing slug, display_name, or version in skill.yml — fix before proceeding\"\n exit 1\nfi\n\n\nIf display_name is missing from skill.yml, add it now (see Step 1.5).\n\nThen add a pending publish entry to ESCALATIONS.md:\n\nD-##: Publish {display_name} v{version} (slug: {slug}) to ClawhHub? — yes/no\n\n\nStop here. Wait for My Lord to reply \"D-## yes\" before proceeding to Step 11.5.\n\nOnly proceed to Step 11.5 if My Lord has explicitly approved this specific publish in the current session.\n\nStep 11.5: Execute Publish + Verify (APPROVAL REQUIRED)\n\nOnly run this step after receiving explicit \"D-## yes\" from My Lord.\n\nclawhub publish /tmp/skill-release-{name} \\\n --slug \"$SLUG\" \\\n --name \"$DISPLAY_NAME\" \\\n --version \"$VERSION\" \\\n --changelog \"{summary of changes from CHANGELOG.md}\"\n\n\nPost-publish verification — verify the live listing matches skill.yml exactly:\n\nAfter publishing, verify the live listing matches the source skill.yml exactly. This step catches wrong titles, version mismatches, and stale metadata before delivery.\n\nclawhub inspect \"$SLUG\" 2>&1\n\n\nCompare the output against skill.yml:\n\nField\tExpected (from skill.yml)\tActual (from clawhub inspect)\tMatch?\nDisplay name\tdisplay_name value\tFirst line of inspect output\t✅ / ❌\nVersion\tversion value\tLatest: field\t✅ / ❌\nDescription\tFirst sentence of description\tSummary: field (truncated)\t✅ / ❌\nOwner\tyour ClawhHub username\tOwner: field\t✅ / ❌\n\nIf any field does not match:\n\nDo NOT proceed to Step 12\nIdentify the mismatch (wrong --name, wrong --slug, stale skill.yml)\nFix the source (skill.yml or publish command), bump patch version, republish\nRe-run Step 11.5 until all fields match\nOnly proceed to Step 12 when the table shows ✅ on all rows\n\nCommon mismatches and fixes:\n\nMismatch\tCause\tFix\nWrong display name\tdisplay_name missing from skill.yml; name was guessed\tAdd display_name to skill.yml, republish\nWrong version\tskill.yml not updated before publish\tBump version in skill.yml, republish\nWrong slug\tname field in skill.yml doesn't match intended slug\tFix name in skill.yml or use correct --slug\nWrong owner\tPublished under wrong account\tCheck clawhub whoami, re-authenticate if needed\nStep 12: Verify Security Scan (Browser Required)\n\nClawhHub automatically scans all published skills via VirusTotal (Code Insight) and OpenClaw's own scanner. Do not consider the release complete until scans are reviewed.\n\nUse the browser tool to check scan results — ClawhHub pages require JS rendering:\n\nOpen the skill detail page with browser:\nbrowser start (profile=openclaw)\nbrowser navigate → https://clawhub.ai/{username}/{slug}\nbrowser snapshot (refs=aria)\n\n\nFind the \"Security Scan\" section in the snapshot. It shows:\n\nVirusTotal verdict: Benign / Suspicious / Malicious / Pending\nOpenClaw verdict: Benign / Suspicious / Malicious with confidence level\nDetail text: Explanation of what was flagged (expand \"Details\" if collapsed)\nVirusTotal report link: Direct URL to full analysis\n\nInterpret results and act:\n\nVerdict\tMeaning\tAction\nBenign (both)\tClean, auto-approved\tProceed to Step 13\nPending\tStill processing\tWait 2 minutes, re-snapshot\nSuspicious (undeclared permissions)\tSkill needs privileged access not in metadata\tAdd permissions to skill.yml, bump version, re-publish\nSuspicious (other)\tFlagged behavior\tReview detail text. If false positive, contact OpenClaw security team. If real, fix and re-publish\nMalicious\tBlocked from download\tFix immediately, bump version, re-run from Step 1.5\n\nCommon fix — undeclared permissions: If flagged for privileged CLI access (gh, clawhub, git, filesystem), add a permissions field to skill.yml:\n\npermissions:\n - exec: git, gh CLI (repo creation, visibility changes)\n - exec: clawhub CLI (publishing)\n - filesystem: read/write skill directories\n - browser: verify scan results on ClawhHub\n\n\nThen bump version and re-publish. This declares intent and resolves the flag.\n\nIf VirusTotal is still Pending after 5 minutes, proceed to Step 12 but note it in the delivery. The scan completes asynchronously.\n\nStep 13: Deliver\n\nConfirm the release is live and deliver all links and scan status to the user:\n\nRELEASED: {skill-name} v{version}\n\nGitHub: https://github.com/your-org/openclaw-skill-{name}\nClawhHub: https://clawhub.ai/{username}/{slug}\nVirusTotal: {verdict} — {report link}\nOpenClaw Scan: {verdict} ({confidence})\n\n{1-line description}\n\nPipeline Ends Here\n\nSkill-releaser scope ends at Step 13 (delivery). Post-release bookkeeping (STATUS.json updates, submodule conversion, memory logging) is a refactory system responsibility, not a release pipeline responsibility. See REFACTORY-SYSTEM.md \"Post-Release Stage.\"\n\nError Handling\nError\tCause\tFix\nReadiness check fails\tScore too low or OPSEC dirty\tComplete refactoring first\nOPSEC scan finds violations in release copy\tSanitization incomplete\tFix in release copy, re-scan\ngh repo create fails\tAuth issue or name taken\tCheck gh auth status, try different name\nclawhub publish fails\tCLI not installed or auth\tRun npm install -g clawhub, authenticate\nUser rejects\tFeedback provided\tAddress feedback, restart from Step 4\nConfiguration\n\nNo persistent configuration required. The pipeline uses environment-level tools (gh, clawhub, git) that must be authenticated before use.\n\nRequired tools:\n\nTool\tPurpose\tCheck\ngh CLI\tGitHub repo creation, visibility changes\tgh auth status\nclawhub CLI\tPublish to ClawhHub registry\tclawhub whoami\ngit\tVersion control\tBuilt-in\npython3\tOPSEC scanner (optional)\tpython3 --version\n\nPipeline scripts (in scripts/):\n\nScript\tPurpose\nvalidate-structure.sh\tScore skill structure completeness (8 checks)\nvalidate-release-content.sh\tBlock placeholder text, empty files\nopsec-scan.sh\tScan for sensitive data before public release\n\nOrg/username: Update your-org in the pipeline steps to your GitHub username or org. The clawhub --slug argument uses the skill's name field from skill.yml.\n\nExamples\n\nRelease a specific skill: \"Release skill-engineer to clawhub\"\n\nCheck readiness without releasing: \"Is evidence-based-investigation ready for release?\"\n\nBatch readiness check: \"Which skills are ready to publish?\"" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/chunhualiao/skill-releaser", "publisherUrl": "https://clawhub.ai/chunhualiao/skill-releaser", "owner": "chunhualiao", "version": "1.5.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/skill-releaser", "downloadUrl": "https://openagent3.xyz/downloads/skill-releaser", "agentUrl": "https://openagent3.xyz/skills/skill-releaser/agent", "manifestUrl": "https://openagent3.xyz/skills/skill-releaser/agent.json", "briefUrl": "https://openagent3.xyz/skills/skill-releaser/agent.md" } }