Pre Publish Security
by @solmas
Multi-layered security audit system for GitHub/ClawHub releases. Prevents credential leaks, detects vulnerabilities, validates documentation. Frequency-aware...
clawhub install pre-publish-securityπ About This Skill
name: pre-publish-security description: Multi-layered security audit system for GitHub/ClawHub releases. Prevents credential leaks, detects vulnerabilities, validates documentation. Frequency-aware scanning (quick/history/dependencies). Blocks bad pushes automatically. version: 2.0.0 author: solmas homepage: https://github.com/solmas/openclaw-pre-publish-security license: MIT tags: - security - git - audit - credentials - publishing - dependencies - cve metadata: openclaw: requires: bins: [git, jq, grep] optional: [npm, pip, safety, shellcheck] install: - { id: jq, kind: apt, package: jq } user-invocable: true
Pre-Publish Security Protocol
Prevents security breaches like exposed credentials in open-source releases.
Features
β Multi-Level Scanning
β Smart Frequency Management
β What It Catches
[ORG], example.com)β Automated Protection
Quick Start
Install Pre-Push Hook
# Automatic protection on every push
./install-hooks.sh /path/to/your/repo
Run First History Scan
# One-time deep dive (or monthly)
./audit-full.sh /path/to/repo history
Check Status
# See when scans last ran
./schedule.sh status
Run Scheduled Audits
# Auto-determines what to run based on time
./schedule.sh run /path/to/repo
Manual Scans
# Quick scan (every push)
./audit-simple.sh /path/to/repoGit history scan (monthly)
./audit-full.sh /path/to/repo historyDependency scan (weekly)
./audit-full.sh /path/to/repo dependenciesFull audit (before releases)
./audit-full.sh /path/to/repo full
What Gets Scanned
Quick Scan (Every Push)
History Scan (Monthly)
Dependency Scan (Weekly)
Full Audit (On-Demand)
Severity Levels
Integration
Pre-Push Hook (Recommended)
./install-hooks.sh ~/my-repo
git push # Automatic security check
Weekly Cron
# Add to OpenClaw cron
openclaw cron add \
--name "weekly-repo-scan" \
--cron "0 3 * * 1" \
--announce \
--message "Run: ~/.openclaw/workspace/skills/pre-publish-security/schedule.sh run ~/repo"
Manual Pre-Publish
# Before clawhub publish
./audit-full.sh ~/skills/my-skill full
clawhub publish skills/my-skill --version 1.0.1
Files
audit-simple.sh - Fast pre-push scanaudit-full.sh - Complete scanner with trackingschedule.sh - Status & smart automationinstall-hooks.sh - Git hook installeraudit-state.json - State tracking (auto-created)AUDIT-SCHEDULE.md - Detailed frequency guideREADME.md - Full documentationagents/ - Sub-agent definitions (future use)Requirements
Required:
Optional (enhanced detection):
State Tracking
Automatically tracks:
View with: ./schedule.sh status
Exit Codes
0 - Passed (no issues or low/medium only)1 - Critical issues (blocks push)2 - High issues (requires review)Real-World Example
Problem: Accidentally pushed GitHub PAT in git remote URL Solution: This tool caught it and blocked the push Result: Credential never exposed publicly
Use Cases
1. Individual Developers: Pre-push hook prevents accidents 2. Open-Source Projects: Protects against contributor mistakes 3. ClawHub Skills: Validates before publishing 4. CI/CD: Add to GitHub Actions for automated checks 5. Security Audits: Comprehensive repository review
Why This Exists
On 2026-03-15, a GitHub PAT was accidentally exposed in a git config file. This protocol ensures it never happens again - to anyone.
License
MIT - Use it, improve it, share it.
Contributing
Issues & PRs welcome at: https://github.com/solmas/pre-publish-security
β‘ When to Use
π‘ Examples
Install Pre-Push Hook
# Automatic protection on every push
./install-hooks.sh /path/to/your/repo
Run First History Scan
# One-time deep dive (or monthly)
./audit-full.sh /path/to/repo history
Check Status
# See when scans last ran
./schedule.sh status
Run Scheduled Audits
# Auto-determines what to run based on time
./schedule.sh run /path/to/repo