OpenClaw Codex Harness Launch Kit: Subscription Auth, Runtime Setup, Tool Search, and Migration Checklist
This item includes essential tools and setup for the OpenClaw Codex Harness, covering runtime configuration, tool discovery,...
LinkLoot AI review
My take: Skill Provenance: Version Tracking for OpenClaw Skill Bundles is interesting as a code/tool candidate, but only with a throwaway project, test data, and tightly scoped permissions. Then judge whether install, startup, and core function fit your setup.
Can save time as a small tool if it fits your workflow and you start with test data.
Do not start with real tokens, private repos, or production data.
Automated AI review. Decision aid, not a safety guarantee. · 2026-06-08 17:09:57 UTC
Skill Provenance is an author-side metaskill for Agent Skill bundles. It documents a portable MANIFEST.yaml, CHANGELOG.md, per-file version metadata, and SHA-256 hash checks so a skill's SKILL.md, evals, scripts, references, and packaged copies can be tracked across sessions and platforms. The upstream source describes it as free and open with an MIT license.
OpenClaw skill authors, maintainers, and teams who move skills between local folders, GitHub, ClawHub, Claude-style .skill packages, Codex/Gemini-compatible strict copies, or multiple agent sessions. It is most useful when bundle drift, stale evals, renamed files, or unclear handoffs are a recurring problem.
The published surface is a community OpenClaw skill on ClawHub with canonical source at the public GitHub repository. The bundle includes SKILL.md, README.md, MANIFEST.yaml, CHANGELOG.md, eval files, validate.sh, and package.sh according to the fetched manifest. Treat installation commands and scripts in the source as review material only until Runner AI Review finishes. Pricing evidence from the upstream GitHub README states it is free and open; license evidence points to MIT.
This is not yet claimed as tested, safe, clean, recommended, or production-ready by LinkLoot. The concept relies on local file inventory and hash checks, but the upstream source itself notes that a manifest is not a cryptographic signature or trust anchor. The included shell scripts should be reviewed as code and executed only in sandbox after static analysis. Because the skill is designed to edit manifests/changelogs and package derived copies, Runner should verify it does not mutate unrelated files, read broad home/config/SSH paths, or follow embedded source instructions beyond the user's explicit task.
Sign in to join the discussion and vote on comments.
Sign in