Back to skills
SkillHub ClubShip Full StackFull Stack
weave
Imported from https://github.com/openclaw/skills.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Stars
3,111
Hot score
99
Updated
March 20, 2026
Overall rating
C0.0
Composite score
0.0
Best-practice grade
F15.9
Install command
npx @skill-hub/cli install openclaw-skills-weave
Repository
openclaw/skills
Skill path: skills/aryanj-nyc/weave
Imported from https://github.com/openclaw/skills.
Open repositoryBest for
Primary workflow: Ship Full Stack.
Technical facets: Full Stack.
Target audience: everyone.
License: AGPL-3.0-or-later.
Original source
Catalog source: SkillHub Club.
Repository owner: openclaw.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install weave into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/openclaw/skills before adding weave to shared team environments
- Use weave for development workflows
Works across
Claude CodeCodex CLIGemini CLIOpenCode
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: weave
description: Use when creating crypto or stablecoin invoices, generating payment quotes, or tracking invoice payment status with the Weave CLI.
license: AGPL-3.0-or-later
metadata:
openclaw:
requires:
bins:
- weave
install:
- kind: go
module: github.com/AryanJ-NYC/weave-cash/apps/cli/cmd/weave
bins:
- weave
- id: node
kind: node
package: weave-cash-cli
label: Fallback: Install Weave CLI (npm)
bins:
- weave
emoji: '🧶'
homepage: 'https://www.weavecash.com'
clawdbot:
requires:
bins:
- weave
install:
- kind: go
module: github.com/AryanJ-NYC/weave-cash/apps/cli/cmd/weave
bins:
- weave
- id: node
kind: node
package: weave-cash-cli
label: Fallback: Install Weave CLI (npm)
bins:
- weave
emoji: '🧶'
homepage: 'https://www.weavecash.com'
---
# Weave
Weave is a CLI for crypto invoicing and cross-chain payment workflows. Use this when you need to create Bitcoin, Ethereum, Solana, USDC, or USDT invoices, generate payment quotes, and monitor settlement across supported networks such as Base, Tron, and Zcash for agent workflows or operations.
## Overview
Use `weave` for full Weave Cash invoice lifecycle workflows:
1. Create an invoice (`weave create`)
2. Generate payment instructions (`weave quote`)
3. Track settlement (`weave status` or `weave status --watch`)
## Guardrails
- Crypto-to-crypto only. Do not introduce fiat currencies, fiat conversions, or fiat-denominated behavior.
- Prefer machine-readable JSON output. Use `--human` only when explicitly requested.
- Never expose secrets (private keys, tokens, JWTs) in outputs.
- Treat network/API calls as failure-prone and handle non-zero exits explicitly.
## When Not To Use
- Do not use this skill for fiat invoice or fiat settlement workflows.
- Do not use this skill for editing Weave web UI/frontend code.
- Do not use this skill for unrelated wallet custody or private-key management tasks.
- Do not use this skill when the user wants non-Weave payment rails.
## Preflight
1. Confirm CLI availability:
```bash
weave --help
```
2. Discover runtime token/network support before choosing assets:
```bash
weave tokens
```
3. If `weave` is missing, provide compliant install guidance and ask before running:
```bash
go install github.com/AryanJ-NYC/weave-cash/apps/cli/cmd/weave@latest
weave --help
```
If Go is unavailable, use npm fallback:
```bash
npm i -g weave-cash-cli
weave --help
```
If both Go and npm are unavailable, report the missing prerequisites.
## Compliant Install Policy
- Prefer `metadata.openclaw.install` / `metadata.clawdbot.install` package-manager installs.
- Never suggest remote download commands piped directly to a shell interpreter.
- Detect and instruct; do not auto-install dependencies without explicit user approval.
## Token And Network Selection
- Always trust live `weave tokens` output from the runtime binary.
- Do not hardcode token/network lists in reasoning.
- `--receive-network` is required only for receive tokens that support multiple networks.
- Network aliases are accepted (for example `Ethereum|ETH`, `Solana|SOL`, `Tron|TRX` when supported by runtime output).
## Workflow
### 1) Create Invoice
Collect:
- `receive-token`
- `amount` (positive numeric string)
- `wallet-address`
- `receive-network` only when required by runtime token/network map
- optional buyer fields (`description`, `buyer-name`, `buyer-email`, `buyer-address`)
Command:
```bash
weave create \
--receive-token USDC \
--receive-network Ethereum \
--amount 25 \
--wallet-address 0x1111111111111111111111111111111111111111
```
Expected JSON shape:
```json
{
"id": "inv_123",
"invoiceUrl": "https://www.weavecash.com/invoice/inv_123"
}
```
Capture `id` for downstream `quote`/`status` calls.
### 2) Generate Quote
Collect:
- `invoice-id`
- `pay-token`
- `pay-network`
- `refund-address`
Command:
```bash
weave quote inv_123 \
--pay-token USDT \
--pay-network Ethereum \
--refund-address 0x2222222222222222222222222222222222222222
```
Expected fields:
- `depositAddress`
- `depositMemo` (optional)
- `amountIn`
- `amountOut`
- `timeEstimate`
- `expiresAt`
### 3) Check Status
One-shot:
```bash
weave status inv_123
```
Watch mode:
```bash
weave status inv_123 --watch --interval-seconds 5 --timeout-seconds 900
```
Interpretation:
- Exit `0`: reached terminal status (`COMPLETED`, `FAILED`, `REFUNDED`, `EXPIRED`)
- Exit `2`: watch timeout (not a command failure)
- Exit `1`: command/API/network/validation failure
## Error Handling
When exit code is `1`, surface structured stderr JSON when present. Common API-derived shape:
```json
{
"error": "api message",
"status": 409,
"details": {
"error": "Invoice is not in PENDING status"
}
}
```
If watch times out (exit `2`), treat as incomplete progress, not fatal failure. Recommend extending `--timeout-seconds` or rerunning a one-shot `weave status <invoice-id>`.
## Runtime Drift Rule
The installed binary and source tree can drift in token support. Always use runtime discovery (`weave tokens`) when deciding valid token/network combinations.
---
## Skill Companion Files
> Additional files collected from the skill directory layout.
### _meta.json
```json
{
"owner": "aryanj-nyc",
"slug": "weave",
"displayName": "Weave",
"latest": {
"version": "0.1.6",
"publishedAt": 1772814510713,
"commit": "https://github.com/openclaw/skills/commit/44fdeb9c2cca82c979a105d33c68752b745a7251"
},
"history": [
{
"version": "0.1.5",
"publishedAt": 1772467200098,
"commit": "https://github.com/openclaw/skills/commit/8ab1520502cc0740949321ddd881e2cb201662fa"
},
{
"version": "0.0.2",
"publishedAt": 1772295681046,
"commit": "https://github.com/openclaw/skills/commit/1542a8582da870db447813793c1e8d2705abd3d8"
},
{
"version": "0.1.0",
"publishedAt": 1772228266927,
"commit": "https://github.com/openclaw/skills/commit/f72852404379feedb7c2a96774b33d0b324c224d"
}
]
}
```
### references/cli-contract.md
```markdown
# Weave CLI Contract Snapshot
This reference captures the current command/output contract for the `weave` CLI as of 2026-02-26.
Source precedence used here:
1. CLI implementation (`apps/cli/internal/cmd/*`, `apps/cli/internal/output/output.go`)
2. CLI docs (`apps/cli/docs/*`)
## Global Flags
- `--api-url string` (default `https://www.weavecash.com`)
- `--human` (default `false`; machine-oriented JSON is default)
## Commands
### `weave create`
Required flags:
- `--receive-token`
- `--amount`
- `--wallet-address`
Conditionally required:
- `--receive-network` for tokens with multiple supported networks
Optional:
- `--description`
- `--buyer-name`
- `--buyer-email`
- `--buyer-address`
JSON output shape:
```json
{
"id": "inv_123",
"invoiceUrl": "https://www.weavecash.com/invoice/inv_123"
}
```
### `weave quote [invoice-id]`
Required flags:
- `--pay-token`
- `--pay-network`
- `--refund-address`
JSON output fields:
- `depositAddress`
- `depositMemo` (optional)
- `amountIn`
- `amountOut`
- `timeEstimate`
- `expiresAt`
### `weave status [invoice-id]` (alias: `get`)
Default: one-shot invoice snapshot.
Watch mode flags:
- `--watch`
- `--interval-seconds` (default `5`)
- `--timeout-seconds` (default `900`)
Watch mode emits NDJSON events in JSON mode and exits:
- `0` on terminal status
- `2` on timeout
### `weave tokens`
Returns runtime token/network support and aliases.
This command is the runtime source of truth for token/network decisions in skill workflows.
## Exit Codes
- `0`: success (including terminal completion in watch mode)
- `1`: validation, API, network, or command failure
- `2`: watch timeout before terminal status
## Error Output
Error payloads are emitted as JSON on stderr.
API-derived failures include HTTP status and API payload when parseable:
```json
{
"error": "api message",
"status": 409,
"details": {
"error": "Invoice is not in PENDING status"
}
}
```
Watch timeout shape:
```json
{
"error": "status watch timed out",
"status": "AWAITING_DEPOSIT",
"timeoutSeconds": 900
}
```
## Runtime Token-Map Caveat
Current source token map (`apps/cli/internal/cmd/tokens_generated.go`) includes:
- Tokens: `BTC`, `ETH`, `PAXG`, `SOL`, `USDC`, `USDT`, `XAUT`, `ZEC`
- Networks: `Bitcoin`, `Ethereum`, `Solana`, `Tron`, `Zcash`
Some built artifacts can lag this map. Skill logic must query `weave tokens` from the installed runtime before making token/network assumptions.
```
### references/publishing.md
```markdown
# Publishing Weave Skill To Clawhub
This guide is for publishing:
- Skill path: `skills/weave` (repo-relative)
- Skill name: `weave`
## Prerequisites
1. Install and authenticate `clawhub` CLI.
2. Ensure these files exist:
- `SKILL.md`
- `agents/openai.yaml`
- `references/cli-contract.md`
- `references/scenarios.md`
- `LICENSE.txt`
3. Validate frontmatter and metadata:
- `name: weave`
- `metadata.openclaw.requires.bins` includes `weave`
- `metadata.clawdbot.requires.bins` includes `weave`
- `metadata.openclaw.install` includes preferred `kind: go` with module `github.com/AryanJ-NYC/weave-cash/apps/cli/cmd/weave`
- `metadata.openclaw.install` includes fallback `kind: node` with package `weave-cash-cli`
- `metadata.clawdbot.install` includes preferred `kind: go` with module `github.com/AryanJ-NYC/weave-cash/apps/cli/cmd/weave`
- `metadata.clawdbot.install` includes fallback `kind: node` with package `weave-cash-cli`
## Pre-Publish Checks
From repo root:
```bash
find skills/weave -type f | sort
du -sh skills/weave
```
Security check (required):
```bash
bash skills/weave/scripts/security-check.sh
```
This blocks common review triggers before publish, including:
- download commands piped directly into shell interpreters
- base64-decoded shell execution
- URL shorteners
- unsupported install kinds outside `brew|node|go|uv`
Optional structure validation (if `PyYAML` is available):
```bash
PYTHONPATH=/tmp/skill-validate-deps python3 ~/.codex/skills/.system/skill-creator/scripts/quick_validate.py skills/weave
```
## Publish Command
Use this command template:
```bash
clawhub publish skills/weave --version 0.1.1 --changelog "Security-hardening release for weave skill install guidance and publish checks."
```
Quick script:
```bash
bash skills/weave/scripts/publish-clawhub.sh 0.1.1
```
Codified local release script:
```bash
bash skills/weave/scripts/release.sh 0.1.1
bash skills/weave/scripts/release.sh --no-check-skills-sh 0.1.1
bash skills/weave/scripts/release.sh --create-git-tag 0.1.1
bash skills/weave/scripts/release.sh --publish-clawhub 0.1.1 "Security-hardening release for weave skill install guidance and publish checks."
bash skills/weave/scripts/release.sh --skills-install-smoke --publish-clawhub 0.1.1 "Security-hardening release for weave skill install guidance and publish checks."
bash skills/weave/scripts/release.sh --create-git-tag --publish-clawhub 0.1.1 "Security-hardening release for weave skill install guidance and publish checks."
```
Notes:
- `release.sh` runs `skills/weave/scripts/check-skills-sh.sh` by default to verify skills.sh listing visibility.
- Use `--no-check-skills-sh` to skip skills.sh verification.
- Use `--skills-install-smoke` to include install smoke-check in the skills.sh step.
## Versioning Rules
- Current release target: `0.1.1`
- Bump patch for text fixes (`0.1.1`)
- Bump minor for new workflows (`0.2.0`)
- Bump major for breaking behavioral changes (`1.0.0`)
- Skill tags use `v<semver>` (for example `v0.1.1`).
## Changelog Template
```md
Security-hardening release for weave skill install guidance and publish checks.
```
For updates:
```md
Updated token/network handling guidance, security checks, and release automation.
```
## GitHub Actions Release
Manual release workflow:
- File: `.github/workflows/weave-skill-release.yml`
- Trigger: `workflow_dispatch`
- Inputs:
- `version` (semver)
- `changelog`
- `publish_to_clawhub` (`true`/`false`)
- `create_git_tag` (`true`/`false`)
Required secret for publish job:
- `CLAWHUB_TOKEN` (Clawhub API token)
Companion CI workflow:
- File: `.github/workflows/weave-skill-ci.yml`
- Runs on skill-related PR/push changes and enforces security-check + script syntax.
## Post-Publish Validation
1. Check skill metadata:
```bash
clawhub inspect weave
```
2. Confirm `SKILL.md` was published:
```bash
clawhub inspect weave --files
```
3. Verify discoverability in registry search:
```bash
clawhub search weave
```
## skills.sh Publish Flow
`skills.sh` does not use a separate publish API for this repo-based flow.
For `skills.sh`, "publish" means: push the skill files to the public GitHub repository, then verify the source resolves.
Canonical source identifier:
- `AryanJ-NYC/weave-cash@weave`
Steps:
1. Push your skill changes to the default branch:
```bash
git push origin master
```
2. Verify `skills.sh` can resolve the skill from GitHub source:
```bash
bash skills/weave/scripts/check-skills-sh.sh
```
3. Optional install smoke check:
```bash
RUN_INSTALL_CHECK=1 bash skills/weave/scripts/check-skills-sh.sh
```
Direct `npx` equivalents:
```bash
npm_config_cache=/tmp/npm-cache npx -y skills add AryanJ-NYC/weave-cash@weave --list
npm_config_cache=/tmp/npm-cache npx -y skills find "weave cash"
npm_config_cache=/tmp/npm-cache npx -y skills add AryanJ-NYC/weave-cash@weave --yes --agent claude-code
```
Notes:
- Search ranking can lag even when source resolution succeeds; rely on `skills add ... --list` as the primary publish signal.
- This flow is separate from Clawhub registry publish (`clawhub publish ...`).
## Operational Notes
- Keep crypto-only scope; do not add fiat assumptions.
- Keep `weave-cash-cli` published and current for npm fallback installs.
- Runtime token/network support can drift from local docs; `weave tokens` is the live source of truth.
- Do not publish secrets or credential-bearing examples in skill files.
```
### references/scenarios.md
```markdown
# Weave Skill Scenarios
All examples are crypto-only and use placeholder addresses (no secrets).
## Scenario 1: Full Lifecycle (Multi-Network Receive Token)
Goal: create an invoice, quote payer instructions, and watch status.
1. Preflight
```bash
weave --help
weave tokens
```
2. Create invoice (USDC on Ethereum)
```bash
weave create \
--receive-token USDC \
--receive-network Ethereum \
--amount 25 \
--wallet-address 0x1111111111111111111111111111111111111111
```
3. Quote with payer asset/network
```bash
weave quote <invoice-id> \
--pay-token USDT \
--pay-network Ethereum \
--refund-address 0x2222222222222222222222222222222222222222
```
4. Watch status
```bash
weave status <invoice-id> --watch --interval-seconds 5 --timeout-seconds 900
```
Success criteria:
- `create` returns `id` + `invoiceUrl`
- `quote` returns deposit instructions and expiry
- `status --watch` exits `0` on terminal state
## Scenario 2: Single-Network Receive Token (No Receive-Network Flag)
Goal: validate inferred receive network for single-network token.
```bash
weave create \
--receive-token BTC \
--amount 0.005 \
--wallet-address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
```
Success criteria:
- command succeeds without `--receive-network`
- response includes a valid invoice id
## Scenario 3: Timeout Handling In Watch Mode
Goal: classify timeout as incomplete progress, not hard failure.
```bash
weave status <invoice-id> --watch --interval-seconds 2 --timeout-seconds 20
echo $?
```
Expected:
- exit code `2` when timeout hits
- stderr JSON includes `error=status watch timed out` and `timeoutSeconds`
Follow-up:
- rerun with larger timeout, or
- run one-shot `weave status <invoice-id>`
## Scenario 4: Missing CLI Binary (Negative Path)
Goal: detect missing dependency and provide install instructions only.
Expected behavior:
- if `weave --help` fails with command-not-found, return install guidance:
```bash
go install github.com/AryanJ-NYC/weave-cash/apps/cli/cmd/weave@latest
weave --help
```
- if Go is not available, fallback to:
```bash
npm i -g weave-cash-cli
weave --help
```
- if both Go and npm are unavailable, report missing prerequisites clearly
- do not auto-execute install commands
## Manual Prompt Test Matrix
Use these prompts to verify trigger coverage:
1. "Create a Weave invoice for 25 USDC on Ethereum."
2. "Generate quote instructions for invoice `<id>` using USDT on Ethereum."
3. "Watch invoice `<id>` until final status."
4. "I don't have weave installed, help me run this flow."
Pass condition:
- skill follows preflight, JSON-first flow, and correct exit-code/error handling rules.
```
### scripts/check-skills-sh.sh
```bash
#!/usr/bin/env bash
set -euo pipefail
print_usage() {
cat <<'EOF'
Usage:
bash skills/weave/scripts/check-skills-sh.sh [source] [query]
Defaults:
source = AryanJ-NYC/weave-cash@weave
query = weave cash
Examples:
bash skills/weave/scripts/check-skills-sh.sh
bash skills/weave/scripts/check-skills-sh.sh AryanJ-NYC/weave-cash@weave "weave"
Environment variables:
NPM_CACHE_DIR npm cache dir used by npx (default: /tmp/npm-cache)
RUN_INSTALL_CHECK set to 1 to run an install smoke check (default: 0)
SKILLS_AGENT agent name for install smoke check (default: claude-code)
EOF
}
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
print_usage
exit 0
fi
source_spec="${1:-AryanJ-NYC/weave-cash@weave}"
query="${2:-weave cash}"
npm_cache_dir="${NPM_CACHE_DIR:-/tmp/npm-cache}"
agent_name="${SKILLS_AGENT:-claude-code}"
run_install_check="${RUN_INSTALL_CHECK:-0}"
if ! command -v npx >/dev/null 2>&1; then
echo "Error: 'npx' is not installed or not on PATH." >&2
exit 1
fi
echo "Checking skills.sh listing for ${source_spec}..."
npm_config_cache="${npm_cache_dir}" npx -y skills add "${source_spec}" --list
echo "Searching skills index for '${query}'..."
npm_config_cache="${npm_cache_dir}" npx -y skills find "${query}"
if [[ "${run_install_check}" == "1" ]]; then
echo "Running optional install smoke check for agent '${agent_name}'..."
npm_config_cache="${npm_cache_dir}" npx -y skills add "${source_spec}" --yes --agent "${agent_name}"
fi
```
### scripts/publish-clawhub.sh
```bash
#!/usr/bin/env bash
set -euo pipefail
print_usage() {
cat <<'EOF'
Usage:
bash skills/weave/scripts/publish-clawhub.sh <version> [changelog]
Examples:
bash skills/weave/scripts/publish-clawhub.sh 0.1.0
bash skills/weave/scripts/publish-clawhub.sh 0.1.1 "Docs-only update for skills.sh listing notes"
Environment variables:
SKILL_PATH_REL Repo-relative skill path (default: skills/weave)
CLAWHUB_CMD Optional command override, e.g. "npx -y clawhub"
NPM_CONFIG_CACHE npm cache path used with npx fallback (default: /tmp/npm-cache)
EOF
}
resolve_clawhub_cmd() {
if [[ -n "${CLAWHUB_CMD:-}" ]]; then
# shellcheck disable=SC2206
clawhub_cmd=(${CLAWHUB_CMD})
return 0
fi
if command -v clawhub >/dev/null 2>&1; then
clawhub_cmd=(clawhub)
return 0
fi
if command -v npx >/dev/null 2>&1; then
export NPM_CONFIG_CACHE="${NPM_CONFIG_CACHE:-/tmp/npm-cache}"
clawhub_cmd=(npx -y clawhub)
return 0
fi
echo "Error: neither 'clawhub' nor 'npx' is available on PATH." >&2
exit 1
}
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
print_usage
exit 0
fi
if [[ $# -lt 1 ]]; then
print_usage
exit 1
fi
version="$1"
default_changelog="Publish weave skill ${version}: full lifecycle flow docs and runtime-safe token guidance."
changelog="${2:-$default_changelog}"
clawhub_cmd=()
resolve_clawhub_cmd
script_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
repo_root="$(cd -- "${script_dir}/../../.." && pwd)"
skill_path_rel="${SKILL_PATH_REL:-skills/weave}"
(
cd "${repo_root}"
echo "Publishing '${skill_path_rel}' with version '${version}' via: ${clawhub_cmd[*]}"
"${clawhub_cmd[@]}" publish "${skill_path_rel}" --version "${version}" --changelog "${changelog}"
)
```
### scripts/release.sh
```bash
#!/usr/bin/env bash
set -euo pipefail
print_usage() {
cat <<'EOF'
Usage:
bash skills/weave/scripts/release.sh [options] <version> [changelog]
Examples:
bash skills/weave/scripts/release.sh 0.1.1
bash skills/weave/scripts/release.sh --create-git-tag 0.1.1
bash skills/weave/scripts/release.sh --publish-clawhub 0.1.1 "Security-hardening release"
bash skills/weave/scripts/release.sh --create-git-tag --publish-clawhub 0.1.1
bash skills/weave/scripts/release.sh --run-quick-validate --skill-path-rel skills/weave 0.1.1
Options:
--skill-path-rel <path> Repo-relative skill path (default: skills/weave)
--create-git-tag Create local annotated git tag
--no-create-git-tag Explicitly disable tag creation
--tag-prefix <prefix> Git tag prefix (default: v)
--publish-clawhub Publish after checks
--no-publish-clawhub Explicitly disable publish
--check-skills-sh Run skills.sh listing verification (default: on)
--no-check-skills-sh Skip skills.sh listing verification
--skills-install-smoke Include skills.sh install smoke check
--run-quick-validate Run quick_validate.py when available
--no-run-quick-validate Explicitly disable quick validation
-h, --help Show this help message
Environment variables:
SKILL_PATH_REL Backward-compatible default for --skill-path-rel
CREATE_GIT_TAG Backward-compatible default for --create-git-tag
TAG_PREFIX Backward-compatible default for --tag-prefix
PUBLISH_CLAWHUB Backward-compatible default for --publish-clawhub
CHECK_SKILLS_SH Backward-compatible default for --check-skills-sh (default: 1)
RUN_SKILLS_INSTALL_CHECK Backward-compatible default for --skills-install-smoke (default: 0)
RUN_QUICK_VALIDATE Backward-compatible default for --run-quick-validate
EOF
}
skill_path_rel="${SKILL_PATH_REL:-skills/weave}"
create_git_tag="${CREATE_GIT_TAG:-0}"
publish_clawhub="${PUBLISH_CLAWHUB:-0}"
check_skills_sh="${CHECK_SKILLS_SH:-1}"
run_skills_install_check="${RUN_SKILLS_INSTALL_CHECK:-0}"
run_quick_validate="${RUN_QUICK_VALIDATE:-0}"
tag_prefix="${TAG_PREFIX:-v}"
positionals=()
while [[ $# -gt 0 ]]; do
case "$1" in
-h|--help)
print_usage
exit 0
;;
--skill-path-rel)
if [[ $# -lt 2 ]]; then
echo "Error: --skill-path-rel requires a value." >&2
exit 1
fi
skill_path_rel="$2"
shift 2
;;
--create-git-tag)
create_git_tag=1
shift
;;
--no-create-git-tag)
create_git_tag=0
shift
;;
--tag-prefix)
if [[ $# -lt 2 ]]; then
echo "Error: --tag-prefix requires a value." >&2
exit 1
fi
tag_prefix="$2"
shift 2
;;
--publish-clawhub)
publish_clawhub=1
shift
;;
--no-publish-clawhub)
publish_clawhub=0
shift
;;
--check-skills-sh)
check_skills_sh=1
shift
;;
--no-check-skills-sh)
check_skills_sh=0
shift
;;
--skills-install-smoke)
run_skills_install_check=1
shift
;;
--run-quick-validate)
run_quick_validate=1
shift
;;
--no-run-quick-validate)
run_quick_validate=0
shift
;;
--)
shift
while [[ $# -gt 0 ]]; do
positionals+=("$1")
shift
done
;;
-*)
echo "Error: unknown option: $1" >&2
print_usage
exit 1
;;
*)
positionals+=("$1")
shift
;;
esac
done
if [[ ${#positionals[@]} -lt 1 || ${#positionals[@]} -gt 2 ]]; then
print_usage
exit 1
fi
version="${positionals[0]}"
default_changelog="weave skill ${version}: security-hardening install guidance, release automation scripts, and compliance checks."
changelog="${positionals[1]:-${default_changelog}}"
script_dir="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
repo_root="$(cd -- "${script_dir}/../../.." && pwd)"
if [[ ! "${version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Error: version must be semver (e.g. 0.1.1)." >&2
exit 1
fi
(
cd "${repo_root}"
echo "Step 1/5: Security checks"
bash "${skill_path_rel}/scripts/security-check.sh" "${skill_path_rel}"
if [[ "${run_quick_validate}" == "1" ]]; then
echo "Step 2/5: Quick validate (optional)"
validator="${HOME}/.codex/skills/.system/skill-creator/scripts/quick_validate.py"
if [[ -f "${validator}" ]]; then
if python3 -c 'import yaml' >/dev/null 2>&1; then
python3 "${validator}" "${skill_path_rel}"
else
echo "Skipping quick_validate.py: PyYAML not available."
fi
else
echo "Skipping quick_validate.py: validator script not found."
fi
else
echo "Step 2/5: Quick validate skipped (--run-quick-validate not set)"
fi
if [[ "${create_git_tag}" == "1" ]]; then
echo "Step 3/5: Create local git tag"
tag_name="${tag_prefix}${version}"
if git rev-parse -q --verify "refs/tags/${tag_name}" >/dev/null; then
echo "Error: tag already exists: ${tag_name}" >&2
exit 1
fi
git tag -a "${tag_name}" -m "weave skill ${version}"
echo "Created local tag: ${tag_name}"
echo "Push with: git push origin ${tag_name}"
else
echo "Step 3/5: Git tag skipped (--create-git-tag not set)"
fi
if [[ "${check_skills_sh}" == "1" ]]; then
echo "Step 4/5: skills.sh listing verification"
if [[ "${run_skills_install_check}" == "1" ]]; then
RUN_INSTALL_CHECK=1 bash "${skill_path_rel}/scripts/check-skills-sh.sh"
else
bash "${skill_path_rel}/scripts/check-skills-sh.sh"
fi
else
echo "Step 4/5: skills.sh verification skipped (--no-check-skills-sh set)"
fi
if [[ "${publish_clawhub}" == "1" ]]; then
echo "Step 5/5: Publish to Clawhub"
bash "${skill_path_rel}/scripts/publish-clawhub.sh" "${version}" "${changelog}"
else
echo "Step 5/5: Clawhub publish skipped (--publish-clawhub not set)"
echo "Publish with: bash ${skill_path_rel}/scripts/publish-clawhub.sh ${version} \"${changelog}\""
fi
)
```
### scripts/security-check.sh
```bash
#!/usr/bin/env bash
set -euo pipefail
print_usage() {
cat <<'EOF'
Usage:
bash skills/weave/scripts/security-check.sh [skill_dir]
Defaults:
skill_dir = skills/weave
Purpose:
Run a pre-publish security lint for patterns that frequently trigger
Clawhub suspicious flags.
EOF
}
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
print_usage
exit 0
fi
skill_dir="${1:-skills/weave}"
skill_md="${skill_dir}/SKILL.md"
if [[ ! -d "${skill_dir}" ]]; then
echo "Error: skill directory not found: ${skill_dir}" >&2
exit 1
fi
if [[ ! -f "${skill_md}" ]]; then
echo "Error: SKILL.md not found: ${skill_md}" >&2
exit 1
fi
failures=0
has_rg=0
if command -v rg >/dev/null 2>&1; then
has_rg=1
fi
run_search() {
local pattern="$1"
local path="$2"
local output_path="$3"
if [[ "${has_rg}" == "1" ]]; then
rg -n --no-heading -e "${pattern}" "${path}" >"${output_path}" 2>/dev/null
return $?
fi
grep -RInE "${pattern}" "${path}" >"${output_path}" 2>/dev/null
}
fail_match() {
local label="$1"
local pattern="$2"
if run_search "${pattern}" "${skill_dir}" "/tmp/weave-security-check.out"; then
echo "FAIL: ${label}" >&2
cat /tmp/weave-security-check.out >&2
echo >&2
failures=$((failures + 1))
fi
}
echo "Running security checks in ${skill_dir}..."
# Build regex fragments without embedding common suspicious one-liners as plain text.
downloader='(c'"'"'url|w'"'"'get)'
shell_target='(ba'"'"'sh|sh)'
space='[[:space:]]*'
pipe_to_shell_regex="^${space}${downloader}.*\\|${space}${shell_target}([[:space:]]|$)"
base64_pipe_regex="^${space}base64.*\\|${space}${shell_target}([[:space:]]|$)"
fail_match "Detected pipe-to-shell installer pattern." "${pipe_to_shell_regex}"
fail_match "Detected base64 decode piped to shell." "${base64_pipe_regex}"
fail_match "Detected URL shortener usage." '(bit\.ly|tinyurl\.com|t\.co/|goo\.gl|is\.gd)'
awk '
{
line = $0
if (match(line, /^[[:space:]-]*kind:[[:space:]]*[A-Za-z0-9_]+/)) {
value = line
sub(/^[[:space:]-]*kind:[[:space:]]*/, "", value)
sub(/[[:space:]].*$/, "", value)
if (value != "brew" && value != "node" && value != "go" && value != "uv") {
print FNR ":" line
}
}
}
' "${skill_md}" >/tmp/weave-security-check.out
if [[ -s /tmp/weave-security-check.out ]]; then
echo "FAIL: Detected unsupported install kind (allowed: brew|node|go|uv)." >&2
cat /tmp/weave-security-check.out >&2
echo >&2
failures=$((failures + 1))
fi
if ! awk '
{
line = $0
if (match(line, /^[[:space:]-]*kind:[[:space:]]*[A-Za-z0-9_]+/)) {
value = line
sub(/^[[:space:]-]*kind:[[:space:]]*/, "", value)
sub(/[[:space:]].*$/, "", value)
if (value == "brew" || value == "node" || value == "go" || value == "uv") {
found = 1
}
}
}
END {
exit(found ? 0 : 1)
}
' "${skill_md}"; then
echo "FAIL: No compliant install section found in SKILL.md frontmatter." >&2
failures=$((failures + 1))
fi
if [[ ${failures} -gt 0 ]]; then
echo "Security check failed with ${failures} issue(s)." >&2
exit 1
fi
echo "PASS: security checks completed with no blocking findings."
```