clawhub-install
v1.0.1Download and install skills from ClawHub directly via curl, bypassing official CLI rate limits. Use when the user wants to install one or more ClawHub skills...
⭐ 0· 429·0 current·0 all-time
by@upupc
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (bypass CLI rate limits to download and install skills) aligns with the included script: it queries OpenClaw for the workspace and writes to workspace/skills. However, the download host (https://wry-manatee-359.convex.site) is not an obvious official ClawHub/official domain, which is unexpected for a tool that claims to install ClawHub skills.
Instruction Scope
Instructions and script only perform workspace lookup, download, unzip, and place files under workspace/skills — which is within scope — but they provide no integrity checks (no checksum/signature verification) and no validation of package contents before extraction. The script will overwrite existing skill directories, which is expected for installs but increases risk if the source is untrusted.
Install Mechanism
There is no packaged install spec (instruction-only plus a shell script). The script downloads archives from a third-party HTTPS endpoint (convex.site). Downloading and extracting arbitrary archives from an untrusted URL is a high-risk install mechanism because it can drop arbitrary code into the agent workspace.
Credentials
The skill does not request credentials or environment variables and only requires the presence of curl, unzip, and openclaw (which the script checks). Those requirements are proportionate to the described task.
Persistence & Privilege
The skill is not forced-always and does not modify other skills' configs. It writes into the agent workspace (workspace/skills) and removes/overwrites existing skill directories — appropriate for an installer but a privilege to be cautious about because it can replace installed skills.
What to consider before installing
This script does exactly what it says — it downloads zip files and unpacks them into your agent's skills folder — but the downloads come from an unexpected third‑party host and there are no integrity checks. Before installing, verify the download source is legitimate (confirm the domain is trusted and owned by ClawHub or your organization), inspect the zip contents manually in a sandbox, prefer the official CLI when possible, request/require cryptographic signatures or checksums for packages, and run the installer in an isolated environment if you must use it. If you can't verify the source, treat this as high-risk and avoid running it on production or sensitive agents.Like a lobster shell, security has layers — review code before you run it.
latest
ClawHub Install
Downloads and installs skills from ClawHub by direct URL access, avoiding rate limits that may occur with the official CLI.
Usage
bash {baseDir}/scripts/install.sh <skill_name> [skill_name2] [skill_name3] ...
Steps
Each skill installation follows these steps:
- Get workspace path: Retrieves the workspace directory from OpenClaw config using
openclaw config get agents.defaults.workspace - Download: Downloads the skill package from
https://wry-manatee-359.convex.site/api/v1/download?slug=<skill_name> - Extract: Unzips the package to
<workspace>/skills/<skill_name>
Examples
# Install single skill
bash {baseDir}/scripts/install.sh finnhub
# Install multiple skills in one run
bash {baseDir}/scripts/install.sh finnhub massive-api tavily-search
Error Handling
The script will:
- Report errors if required commands (curl, unzip, openclaw) are missing
- Skip existing skills after removing them
- Show success/failure count after batch installation
Use Cases
- Use when
clawhub installcommand is rate-limited - Use when installing multiple skills in batch
- Use when direct download is preferred over CLI installation
Comments
Loading comments...