Skip to content
nacre.sh
All posts
Skills & ClawHub

ClawHub Guide: How to Find, Install, and Manage Skills

nacre.sh TeamMay 3, 20268 min read

Complete guide to ClawHub in 2026. How to search, evaluate, install, and safely manage OpenClaw skills on any hosting setup.

clawhubopenclaw skillsskill managementopenclaw

ClawHub is OpenClaw's official skills marketplace — think of it as the App Store for your AI agent. Understanding how to use ClawHub effectively is one of the most important skills (no pun intended) for any OpenClaw power user. This guide walks through everything: searching for skills, evaluating them for safety, installing them, and keeping them maintained.

What Is ClawHub?

ClawHub launched alongside OpenClaw's skills system and has grown to host tens of thousands of skills across categories including productivity, development, communication, data, and entertainment. Each skill is a directory containing at minimum a SKILL.md file that defines the agent's tools, plus any supporting code files.

The marketplace is community-driven, with ratings, download counts, and security scores helping users identify trustworthy skills from the noise.

Finding Skills

Search via OpenClaw CLI

/skills search google workspace
/skills search email
/skills search web scrape

Browse ClawHub Website

Visit clawhub.io and browse by category or keyword. Filter by:

  • Security Score (1–10, provided by ClawHub's automated scanner)
  • Downloads (higher is generally safer — community-tested)
  • Last Updated (avoid skills not updated in 12+ months)
  • Verified Publisher (blue checkmark means ClawHub has verified the author)

Evaluating a Skill Before Installing

This is the most important step. The ClawHavoc malware campaign in early 2026 used 341 malicious skills on ClawHub to exfiltrate user data. Protecting yourself means reviewing skills before installation.

Check the SKILL.md

Every legitimate skill clearly documents:

  1. What tools it exposes — only tools you expect based on the skill's description
  2. What permissions it needs — filesystem access, network access, specific API scopes
  3. What data it sends externally — any external API calls should be to expected services only

Red flags in SKILL.md:

  • Permissions far broader than the stated purpose
  • External API calls to unfamiliar domains
  • Base64-encoded strings or obfuscated code
  • Excessive filesystem read permissions

Check the Skill Score

ClawHub's automated security scanner scores each skill 1–10. Skills below 6 should be investigated thoroughly. Skills below 4 should be avoided unless you can audit the full source code yourself.

Installing a Skill

# Install by skill ID
/skills install gws-connector-v2

# Install specific version (recommended for production)
/skills install gws-connector-v2@2.1.4

# List installed skills
/skills list

# View skill details
/skills info gws-connector-v2

During installation, OpenClaw will display the permissions the skill requires and ask for confirmation. Read these carefully.

Managing Installed Skills

Updating Skills

# Update a specific skill
/skills update gws-connector-v2

# Update all skills
/skills update --all

Only update when you've reviewed the changelog. Major version bumps sometimes introduce new permissions or change data flows.

Removing Skills

/skills remove gws-connector-v2

This removes the skill and its associated tools from OpenClaw's available set. Any automations that relied on those tools will need to be updated.

Skills on nacre.sh

On nacre.sh, skills run inside your isolated agent environment. The platform's permission model means skills can only access resources you've explicitly granted access to — your API keys, connected services, and designated file locations. This containment significantly reduces the blast radius of a compromised skill.

nacre.sh also monitors for known malicious skill signatures, alerting you if a skill's behaviour matches patterns from the ClawHavoc campaign or subsequent threats.

Frequently Asked Questions

Can I write my own private skill?

Yes. Skills you write locally and install from your filesystem (/skills install ./my-skill/) are not visible on ClawHub. They run identically to marketplace skills.

Do skills work across different LLM backends?

Skills define tools and prompts that are model-agnostic. However, complex skill chains work better with more capable models. Smaller local models may struggle with multi-step skill invocations.

nacre.sh

Run OpenClaw without the server headaches

Dedicated instance, automatic TLS, nightly backups, and 290+ LLM integrations. Live in under 90 seconds from $12/month.

Deploy your agent →

Related posts

Skills & ClawHubOpenClaw Weather Skill: Daily Forecasts in Your ChatAdd weather forecasts to your OpenClaw agent. Setup guide for the weather skill and how to use it in daily briefing automations.4 min readSkills & ClawHubOpenClaw Trello Skill: Project Management AutomationAutomate your Trello boards with OpenClaw. Create cards, move tasks, and track projects from your AI agent.5 min readSkills & ClawHubOpenClaw Mixpost Skill: Social Media SchedulingUse the OpenClaw Mixpost skill to schedule social media posts from your AI agent. Full setup for Twitter/X, LinkedIn, and Facebook.5 min read