fix(claws): drop primaryEnv from sageox skills, require claude bin

[galexy]

Summary

• Convert sageox-distill and sageox-summary SKILL.md frontmatter to the JSON-style metadata shape used by openclaw's coding-agent skill, so requires / install parse the way ClawHub's scanner expects.
• Remove primaryEnv: ANTHROPIC_API_KEY and requires.env: [ANTHROPIC_API_KEY] from both skills. The OpenClaw per-skill apiKey injection mechanism didn't actually deliver the key into the skill's process environment, so users hit auth failures with a misleading "key is set" check.
• Add claude to requires.bins for both skills (sageox-summary already had it; sageox-distill now declares it because ox distill shells out to claude).
• Add a node-claude install entry (@anthropic-ai/claude-code) to sageox-distill, and add id / label fields to every install entry in both skills to match the coding-agent shape.

Motivation

The skills' frontmatter was using a YAML shape that didn't match openclaw's current schema, and the primaryEnv injection path the prose described doesn't work in practice. Both skills would do a test -n "$ANTHROPIC_API_KEY" check, conclude the key was set, then fail on the actual Anthropic call. Aligning with coding-agent's shape (which parses correctly) and dropping the broken injection language puts auth on the only path that actually works: claude login (Pro/Max OAuth) or shell-exported ANTHROPIC_API_KEY.

What changed in the prose

• Both SKILL.md files: dropped the "§1 Environment variables" section, merged credential guidance into "§1 Required binaries", renumbered §3→§2, §4→§3, §5→§4, and rewrote the auth check to verify claude login or shell ANTHROPIC_API_KEY (the skill no longer claims to inject the key itself).
• claws/openclaw/README.md: replaced the long "Environment setup → Anthropic API key" section (per-skill apiKey config, precedence rule, sandboxed Docker block) with a short "Claude credentials" section.
• Both skill README.md files: removed broken #environment-setup anchors and per-skill apiKey language.
• PUBLISHING.md: dropped requires.env from the metadata-mismatch troubleshooting row.
• references/INSTALL.md and scripts/install-ox-git.sh in both skills: updated stale § 3 cross-references after the renumber.

Versions

• sageox-distill: 0.1.0 → 0.2.0 (new required bin, dropped per-skill apiKey contract)
• sageox-summary: 0.2.0 → 0.3.0 (dropped per-skill apiKey contract)

Test plan

• python3 .claude/skills/clawhub-skill-lint/scripts/lint.py claws/openclaw/sageox-distill claws/openclaw/sageox-summary → both PASS, 0 critical / 0 warnings
• Throwaway-slug pre-flight publish before claiming the canonical slug (per PUBLISHING.md)
• Run sageox-distill end-to-end against a real team with ANTHROPIC_API_KEY exported in the shell — confirm ox distill succeeds
• Run sageox-summary end-to-end with claude login only (no ANTHROPIC_API_KEY) — confirm claude -p inherits the OAuth session

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Updated credential authentication approach: users must now authenticate the claude CLI via claude login or by exporting ANTHROPIC_API_KEY in their shell, instead of configuring per-skill API keys.
  • Simplified setup instructions across OpenClaw, sageox-distill, and sageox-summary skills.
  • Updated skill versions and metadata to reflect new authentication model.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR refactors OpenClaw skill authentication from per-skill ANTHROPIC_API_KEY injection to host-level credential management via the claude CLI, updates sageox-distill and sageox-summary skill metadata to declare required binaries (claude, ox, jq, gh, git) instead of environment variables, bumps skill versions, and updates documentation and troubleshooting guidance across multiple files to reflect the new model.

Changes

Cohort / File(s)	Summary
Core Documentation claws/openclaw/PUBLISHING.md, claws/openclaw/README.md	Clarified binary requirement in troubleshooting; replaced Anthropic per-skill apiKey setup instructions with claude CLI authentication requirements (both claude login and host-level ANTHROPIC_API_KEY export).
sageox-distill Updates claws/openclaw/sageox-distill/README.md, claws/openclaw/sageox-distill/SKILL.md	Updated version from 0.1.3 to 0.2.0; replaced requires.env and primaryEnv declarations with requires.bins (ox, git, gh, jq, claude); shifted authentication docs from per-skill apiKey to claude CLI with shell-level ANTHROPIC_API_KEY.
sageox-summary Updates claws/openclaw/sageox-summary/README.md, claws/openclaw/sageox-summary/SKILL.md	Updated version from 0.2.3 to 0.3.0; converted metadata to inline JSON format, removed primaryEnv and requires.env, kept requires.bins (ox, claude, jq); replaced per-skill apiKey documentation with host-level claude CLI authentication guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(claws): add openclaw sageox skills + clawhub-skill-lint #485: Directly modifies the same OpenClaw skill frontmatter and README authentication/binary requirements introduced in that PR.
• fix(claws): trim openclaw skill prose, adopt distill --quiet #495: Updates identical skill metadata (metadata.openclaw, primaryEnv, requires.bins) and authentication documentation in the same files.
• refactor(claws): sageox-summary reads via ox distill history #513: Modifies the same sageox-summary SKILL.md metadata, replacing per-skill ANTHROPIC_API_KEY with claude CLI requirements.

Poem

🐰 No more secrets tucked in config files,
Our skills now speak to Claude with style!
The CLI takes the reins with grace,
Authentication finds its rightful place! 🔑✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely summarizes the main change: removing primaryEnv from sageox skills and requiring the claude binary. It directly reflects the primary objectives and modifications throughout the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch galex/claws-sageox-frontmatter

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@claws/openclaw/sageox-summary/SKILL.md`:
- Around line 64-67: The auth docs incorrectly state that ANTHROPIC_API_KEY in
the launching shell reaches the skill subprocess; update the SKILL.md text
around the `claude -p` description to instead document `claude login` as the
guaranteed in-skill path (the OAuth session under `~/.claude/`), and add a note
that while `ANTHROPIC_API_KEY` in `~/.openclaw/.env` or the launching shell can
authenticate the OpenClaw daemon/launcher, the `ox` daemon sanitizes adapter
environments (patterns matching KEY/SECRET/TOKEN/PASSWORD and even
`required_env` entries), so those variables do not propagate into the skill
process. Ensure the same replacement is applied to the duplicate blocks
previously at the other two locations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 936ec7fc-d9ce-43b4-84d3-946d9f1554f3

📥 Commits

Reviewing files that changed from the base of the PR and between 927a95a and f874a36.

📒 Files selected for processing (10)

• claws/openclaw/PUBLISHING.md
• claws/openclaw/README.md
• claws/openclaw/sageox-distill/README.md
• claws/openclaw/sageox-distill/SKILL.md
• claws/openclaw/sageox-distill/references/INSTALL.md
• claws/openclaw/sageox-distill/scripts/install-ox-git.sh
• claws/openclaw/sageox-summary/README.md
• claws/openclaw/sageox-summary/SKILL.md
• claws/openclaw/sageox-summary/references/INSTALL.md
• claws/openclaw/sageox-summary/scripts/install-ox-git.sh

[coderabbitai]

♻️ Duplicate comments (1)

claws/openclaw/sageox-summary/SKILL.md (1)

64-67: ⚠️ Potential issue | 🟠 Major

Auth guidance still claims shell ANTHROPIC_API_KEY reaches the skill subprocess.

This repeats the previously flagged env-sanitization mismatch. Please update this block to treat claude login as the guaranteed in-skill path, and clarify that shell-exported ANTHROPIC_API_KEY may authenticate launcher/host context but is not guaranteed to propagate into the skill process.
Downstream duplicate wording at Line 327–Line 330 should be updated in the same way.

Suggested doc patch

-`claude -p` will use whatever credentials `claude` already has — either
-an OAuth session from `claude login` (Pro/Max subscription) or
-`ANTHROPIC_API_KEY` exported in the shell that launched OpenClaw. The
-skill no longer accepts a per-skill `apiKey`.
+`claude -p` should be treated as requiring credentials already available
+to the `claude` CLI inside the skill process. The guaranteed path is an
+OAuth session from `claude login` (Pro/Max subscription). The skill no
+longer accepts a per-skill `apiKey`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@claws/openclaw/sageox-summary/SKILL.md` around lines 64 - 67, Update the
documentation block in SKILL.md (the paragraph starting with "`claude -p` will
use whatever credentials `claude` already has") to state that "claude login" is
the guaranteed in-skill authentication path and that a shell-exported
ANTHROPIC_API_KEY may authenticate the launcher/host context but is not
guaranteed to propagate into the skill subprocess; also remove or clarify the
sentence about the skill no longer accepting a per-skill `apiKey`. Apply the
same change to the duplicate wording around the later block referenced (the
content currently at lines showing the duplicate wording, originally Lines
327–330) so both places explicitly distinguish guaranteed in-skill auth via
`claude login` vs. unreliable propagation of an environment ANTHROPIC_API_KEY.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@claws/openclaw/sageox-summary/SKILL.md`:
- Around line 64-67: Update the documentation block in SKILL.md (the paragraph
starting with "`claude -p` will use whatever credentials `claude` already has")
to state that "claude login" is the guaranteed in-skill authentication path and
that a shell-exported ANTHROPIC_API_KEY may authenticate the launcher/host
context but is not guaranteed to propagate into the skill subprocess; also
remove or clarify the sentence about the skill no longer accepting a per-skill
`apiKey`. Apply the same change to the duplicate wording around the later block
referenced (the content currently at lines showing the duplicate wording,
originally Lines 327–330) so both places explicitly distinguish guaranteed
in-skill auth via `claude login` vs. unreliable propagation of an environment
ANTHROPIC_API_KEY.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b1abbce1-36ec-45bc-a2c5-f4f10f6df35d

📥 Commits

Reviewing files that changed from the base of the PR and between f874a36 and 3830ca5.

📒 Files selected for processing (6)

• claws/openclaw/PUBLISHING.md
• claws/openclaw/README.md
• claws/openclaw/sageox-distill/README.md
• claws/openclaw/sageox-distill/SKILL.md
• claws/openclaw/sageox-summary/README.md
• claws/openclaw/sageox-summary/SKILL.md

✅ Files skipped from review due to trivial changes (2)

• claws/openclaw/PUBLISHING.md
• claws/openclaw/sageox-summary/README.md

🚧 Files skipped from review as they are similar to previous changes (3)

• claws/openclaw/README.md
• claws/openclaw/sageox-distill/README.md
• claws/openclaw/sageox-distill/SKILL.md