clawhub-publish-conventions
ClawHub skill publishing conventions — file inclusion rules, metadata requirements, versioning, and scanner false-positive defense. Use when publishing or updating skills on ClawHub.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/almohalhel1408/clawhub-publish-conventionsClawHub Publish Conventions
Lessons learned from publishing black-fortress across 9 iterations (v1.1.0 → v1.1.8).
File Inclusion Rules
ClawHub clawhub publish <path> includes only these file types:
| Pattern | Included |
|---|---|
SKILL.md | ✅ Always (required) |
README.md | ✅ Always |
scripts/*.py | ✅ |
scripts/*.json | ✅ |
Dockerfile (no extension) | ❌ Excluded |
*.sh scripts | ❌ Excluded |
*.yaml / *.yml | ❌ Excluded |
| Root-level non-md files | ❌ Excluded |
Workaround for excluded files: Embed the content directly in SKILL.md as a code block inside a <details> collapsible:
<details>
<summary>📋 Dockerfile (embedded)</summary>
```dockerfile
# content here
This ensures users who install the skill can always copy the file, even if ClawHub's publish filter excludes it.
Metadata Requirements
Always declare in SKILL.md frontmatter. Use BOTH field names — the scanner reads required_binaries, Hermes reads required_commands:
version: X.Y.Z
required_commands: # Hermes runtime reads this
- docker
- python3
required_environment_variables: [] # explicit empty if none
required_privileges: non-root (Docker mode) # scanner reads this
metadata:
hermes:
platform: macOS (Docker Desktop), Linux (Docker Engine)
required_binaries: # ClawHub scanner reads this
- docker
- python3
Critical finding (v1.1.7): ClawHub's GPT-5-mini scanner flagged "required binaries: none" despite required_commands being set. The scanner looks for required_binaries inside the metadata block, not required_commands at the top level. Always declare both.
Also add a visible ## Requirements table in the SKILL.md body — the scanner reads the body text, not just frontmatter. If the frontmatter says "docker" but the body never mentions it, the scanner flags the inconsistency.
Versioning
- Can't republish an existing version — must bump semver
- Use
clawhub publish <path> --version X.Y.Z - Changelog:
--changelog "text"is visible inclawhub inspect - Tags:
--tags "tag1,tag2"— default is "latest"
Scanner False-Positive Defense
When a security scanner flags legitimate security controls (obfuscation, sandboxing, syscall tracing):
Add a "Security Disclaimers & Scanner False Positives" section to both SKILL.md and README.md with:
- "What the scanner sees" — acknowledge the flag
- "What is actually happening" — explain the legitimate security purpose
- Comparison table — scanner flag vs reality
- Why it matters — the security argument
Pattern: This protocol exists to provide security — the scanner flags confirm it is working.
The scanner uses GPT-5-mini. It flags behaviors it doesn't understand contextually. Document the context in the skill itself so the scanner (and human reviewers) can read the justification.
Distroless Docker Patterns
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-almohalhel1408-clawhub-publish-conventions": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
tooldeck
Auto-scrapes URLs to extract tool/service info, auto-categorizes, and saves to a personal database. Use when user explicitly shares a URL to save or asks to remember a service. Always confirm before saving. Never auto-save without user intent.
black-fortress
Pre-installation agentic sandboxing protocol. 5-layer defense: semantic neutralization, hard quarantine, kernel ground-truth, trusted output rendering, and sterile autopsy.
sniplink
OpenClaw skill. One-shot URL saver for tools and services discovered on X, GitHub, or anywhere. Drop a link, get it categorized, tagged, and stored — no friction, no multi-step forms. Built for ADHD brains and anyone who keeps losing track of tools they saved across bookmarks, notes, and chats.