Verify an OpenClaw release is fully published and working across all channels.
This appears to be an open-source, prompt-only verification skill with no declared secrets or built-in remote endpoints, so the overall risk is low. The main caveat is that its workflow instructs the host agent to query GitHub, npm, and ClawHub and run verification commands, so runtime network and execution boundaries should still be controlled.
The material explicitly states that no keys or environment variables are required. The README mentions 'Never print secrets' and 'Use inherited live keys' only as operating guidance, with no declared mechanism for the skill itself to collect, store, or exfiltrate credentials; as a prompt-only skill, its credential surface is small.
Although the system marks it as prompt-only and no built-in remote host is declared, the README explicitly requires live verification against the GitHub API, the npm registry, ClawHub, and related online release state. This is normal network use within the stated purpose, and there is no specific red flag showing exfiltration to unknown or unrelated endpoints.
The README contains many command-oriented verification steps such as `gh release view`, `npm view`, downloading tarballs, and `openclaw plugins install`, indicating that when used by a host agent it may drive local command execution and installation/verification flows. This is consistent with its release-verification purpose, and there is no sign of requesting unusual system privileges or stealth execution.
The documentation calls for reading release metadata, workflow results, and package information, and for unpacking tarballs or running smoke tests/plugin installs under `/tmp` and an isolated HOME. This scope is mainly limited to temporary directories and online release data, with no evident request for broad access to private user files, but it still involves local temporary files and environment-state access.
The source is an auditable open-source GitHub repository, the system flags it as open-source, and the community adoption is very high (about 377k stars), all of which materially lower supply-chain risk. The missing license declaration and unknown maintenance status are minor information gaps, but not enough to elevate this to high risk based on the provided material.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "verify-release" skill from askskill: 1. Download https://raw.githubusercontent.com/openclaw/openclaw/main/.agents/skills/verify-release/SKILL.md 2. Save it as ~/.claude/skills/verify-release/SKILL.md 3. Reload skills and tell me it's ready
Verify whether OpenClaw v1.4.2 is fully published: check the GitHub Release, npm package, plugins, ClawHub, package smoke test results, and live Gateway agent turns, then produce an itemized status report and issue list.
A release verification report with per-channel status, pass/fail checks, discovered issues, and recommended next steps.
Check whether the latest OpenClaw release has any missing artifacts, especially whether npm, ClawHub, and plugin distribution are fully synchronized; if inconsistencies exist, identify the missing locations and likely causes.
A diagnostic summary showing which release channels are incomplete, what version mismatches exist, and the likely root causes.
Validate that this OpenClaw release is not only distributed but also usable: check smoke tests, live Gateway agent turn behavior, and summarize whether end users can install and invoke it successfully.
An availability confirmation summary stating whether the release is truly usable and listing any user-impacting risks.
Use this when asked whether an OpenClaw release is fully released, published,
promoted, smoke-tested, or live-verified. This is a verification skill, not a
publish skill; use $release-openclaw-maintainer before changing release state.
.27 to the concrete CalVer version from the
current date/context, then say the resolved version./tmp.yes/no, evidence bullets, caveats, cleanup.gh release view v<VERSION> --repo openclaw/openclaw --json tagName,name,publishedAt,isDraft,isPrerelease,targetCommitish,url,body,assetsnpm view openclaw@<VERSION> version dist-tags.latest dist.tarball dist.integrity time.<VERSION> --jsonlatest must equal <VERSION> for stable.https://api.github.com/repos/openclaw/openclaw/tarball/v<VERSION>
into /tmp/openclaw-v<VERSION>-src.extensions/*/package.json with
openclaw.release.publishToNpm === true and
openclaw.release.publishToClawHub === true.gh api repos/openclaw/openclaw/actions/runs/<RUN>/jobs --paginate.<VERSION> and
dist-tags.latest === <VERSION>.openclaw plugins search <known-plugin> --json.openclaw plugins install clawhub:@openclaw/matrix --pin.
Prefer matrix unless that plugin is not in the expected set./tmp, isolated HOME:
npm exec --yes --package openclaw@<VERSION> -- openclaw --version.plugins --help or gateway --help.HOME=/tmp/openclaw-release-smoke/home OPENCLAW_WORKSPACE=/tmp/openclaw-release-smoke/work pnpm openclaw --dev gateway run --auth none --force --verbose.openclaw --dev gateway health --json.OPENAI_API_KEY, short
prompt, explicit session key, JSON output, and a known-available model.latest is release truth; if optional beta mirrors…
Fetch GitHub issues, create fixes, open PRs, and handle reviews.
Convert text to speech locally and offline with sherpa-onnx, no cloud needed.
Regenerate OpenClaw release changelog sections from Git history before releases.
Prepare and verify OpenClaw stable or beta releases and release notes.
Automate web page workflows, login checks, tab handling, and recovery steps.
Create and review technical docs and agent instruction files in repositories.
Run, debug, monitor, and summarize OpenClaw release CI workflows.
Plan and run end-to-end pre-release validation for OpenClaw plugins.
Draft OpenClaw release announcements and testing guidance from release evidence.
Run or recover OpenClaw macOS signing, notarization, and release promotion.
Choose and run the safest, cheapest OpenClaw test and validation path.
Inspect, patch, validate, and publish OpenClaw GHSA advisories securely.