ClawHub

Clawdhub

Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
198 · 23.2k · 331 current installs · 358 all-time installs
byPeter Steinberger@steipete
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the SKILL.md: it instructs use of a 'clawdhub' CLI to search, install, update, list, and publish skills. However, the package/source provenance is missing (no homepage, unknown source, opaque owner ID), and the SKILL.md contains an npm install step for a package named 'clawdhub' that is not otherwise validated by registry metadata — this lack of provenance reduces confidence.
!
Instruction Scope
The instructions explicitly tell the agent to install and use a CLI that will download, write, update, and publish skill folders (default install dir ./skills). That behavior is coherent with the stated purpose, but it allows fetching and writing arbitrary code from an external registry and includes options like --force and --no-input which can bypass confirmations. The SKILL.md also documents overriding the registry via CLAWDHUB_REGISTRY, which can redirect installs to arbitrary endpoints. These facts meaningfully expand the agent's ability to pull external code and should be considered high-risk without verified provenance.
Install Mechanism
This is an instruction-only skill (no install spec in registry), but SKILL.md tells users/agents to run 'npm i -g clawdhub' (global npm install). Installing a global npm package is a moderate-risk install mechanism because it downloads and executes third-party code; the registry entry lacks a formal install spec and there's no confirmed trusted release host or checksum. Global installs may also require elevated privileges.
Credentials
The skill declares no required env vars, but the documentation references CLAWDHUB_REGISTRY to override the registry and implies an auth/login flow (clawdhub login). The skill does not declare any required credentials or tokens up front. The ability to override the registry via environment variable is reasonable for a CLI, but it could be abused to point the CLI at a malicious registry — this should be treated as a sensitive setting.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and uses no special OS restrictions. It instructs installing a CLI and writing skill folders to the current working directory (./skills by default), which is normal for a package manager-style tool. Note that global npm installs can affect the system environment and may require elevated privileges; that's operational risk rather than an intrinsic permission request in the skill metadata.
What to consider before installing
This skill is coherent with its claimed function (it tells an agent how to use a CLI to manage skills) but lacks provenance and lets the agent download and install third-party code. Before installing or using it: 1) verify the npm package 'clawdhub' exists on a trusted registry and review its source code or GitHub repo and release checksums; 2) avoid running 'npm i -g' as root — prefer a container or isolated environment; 3) do not set or allow CLAWDHUB_REGISTRY to point to untrusted endpoints; 4) review any skill packages that the CLI would install before executing them, and avoid enabling automatic --force or --no-input upgrades; 5) require explicit human approval for publishing or installing new skills. If you cannot verify the package's origin or repository, treat the tool as high-risk and do not run it on critical or production systems.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971z0hmgg09ezb8svtkv18e9x7yknzs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsclawdhub

Install

Install ClawdHub CLI (npm)
Bins: clawdhub
npm i -g clawdhub

SKILL.md

ClawdHub CLI

Install

npm i -g clawdhub

Auth (publish)

clawdhub login
clawdhub whoami

Search

clawdhub search "postgres backups"

Install

clawdhub install my-skill
clawdhub install my-skill --version 1.2.3

Update (hash-based match + upgrade)

clawdhub update my-skill
clawdhub update my-skill --version 1.2.3
clawdhub update --all
clawdhub update my-skill --force
clawdhub update --all --no-input --force

List

clawdhub list

Publish

clawdhub publish ./my-skill --slug my-skill --name "My Skill" --version 1.2.0 --changelog "Fixes + docs"

Notes

  • Default registry: https://clawdhub.com (override with CLAWDHUB_REGISTRY or --registry)
  • Default workdir: cwd; install dir: ./skills (override with --workdir / --dir)
  • Update command hashes local files, resolves matching version, and upgrades to latest unless --version is set

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…