ClawHub

Find Skills for ClawHub

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill coherently helps search and install ClawHub skills, but installation commands can change what OpenClaw loads, so approvals should be deliberate.

This skill appears safe for its stated purpose. Before installing any discovered skill, confirm the exact skill slug, review its details, and only approve npm/npx, install, update, publish, or sync commands that you actually want to run.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Running the helper may execute an external CLI package to perform searches.

Why it was flagged

The helper falls back to running the ClawHub npm package through npx if the global CLI is absent. This is purpose-aligned, but it depends on the external npm/ClawHub package source.

Skill content
elif command -v npx &> /dev/null; then
    CLAWHUB_CMD="npx clawhub"
Recommendation

Use the official ClawHub CLI source and approve npm/npx use before running the helper.

#ASI02: Tool Misuse and Exploitation
Medium
What this means

Approving an install can add new instructions or capabilities that OpenClaw loads later.

Why it was flagged

The install flow can modify the OpenClaw workspace and affect future assistant behavior. It is disclosed and user-directed, but it is an impactful action.

Skill content
If the user wants to install a skill:
clawhub install <skill-slug>
... Skills are installed into your OpenClaw workspace's `skills` directory. OpenClaw will automatically load them in the next session.
Recommendation

Review the selected skill’s source, permissions, and purpose before approving installation or updates.

#ASI03: Identity and Privilege Abuse
Low
What this means

If you choose publishing or syncing, your ClawHub account and local skills may be used.

Why it was flagged

The artifact makes login optional and not required for search/install, but publishing or syncing would involve ClawHub account access and local skill content.

Skill content
For searching and installing, login is not required. For publishing your own skills:
clawhub login
... Back up your local skills to ClawHub:
clawhub sync --all
Recommendation

Do not log in, publish, or run sync commands unless you specifically intend to share or back up skills to ClawHub.