Install ClawHub skills safely

Supply-chain checklist before you run community code on your agent

ClawHub hosts hundreds of community skills—calendar hooks, GitHub helpers, smart-home tools, and more. Most authors are helpful; some packages are malicious or careless. Because a skill can ask the agent to run shell commands and read files, treat every install like adding a new admin to your machine.

This guide walks through what to check before openclaw skills install. For broader agent security, see Is OpenClaw safe? and the skills overview.

What ClawHub already does for you

VirusTotal scanning. Published skills are scanned (including Code Insight). Reports appear on skill pages; suspicious uploads can be flagged or blocked. That catches many known-bad patterns—it does not replace reading the code. Details: VirusTotal partnership blog.

Scanning is one layer. You still control pairing, Gateway exposure, and whether the skill runs with full shell access.

Red flags in SKILL.md and scripts

Before installing, open the skill repo or preview on ClawHub and look for:

  • Requests for wallet seeds, SSH private keys, or ~/.aws / ~/.ssh paths unrelated to the feature.
  • Obfuscated shell, base64 blobs, or "run this curl | bash" without explanation.
  • Exfiltration — POST to unknown domains, pastebin, or Telegram bots not named in the description.
  • Scope mismatch — A "weather" skill that wants Gmail OAuth and full disk read.
  • Brand-new author, no reviews, copied description—higher scrutiny, not automatic rejection.

Safe install workflow (step by step)

  1. Find the skill on clawhub.ai/skills or ClawHub guide. Note version and VirusTotal badge.
  2. Read SKILL.md end to end. Skim any scripts/, bin/, or install hooks.
  3. Install in a test workspace (optional but wise)—separate ~/.openclaw profile or VM before your main bot.
  4. Install:
Terminal
openclaw skills install <skill-name>
openclaw skills list
  1. Enable deliberately in configuration—disable until you are satisfied.
  2. Audit: openclaw security audit --deep after new skills land.
  3. Watch first runs in Gateway logs (observability) for unexpected network or file access.

Least privilege practices

  • Separate API keys — Use scoped tokens (read-only calendar, repo-specific GitHub PAT) in skill config, not your master passwords.
  • Sandbox untrusted skills — Docker or a dedicated user account limits blast radius (Docker deploy).
  • Do not install from random zip links in DMs—only ClawHub or sources you verified.
  • Pin versions — Re-installing can pull updates; re-read changelogs on upgrade (skills management).
  • Prefer n8n for fixed integrations when you need audit trails and credential vaults (OpenClaw + n8n).

If something looks malicious

  1. Disable the skill in config and stop the Gateway.
  2. Rotate any API keys that skill could have read.
  3. Remove the skill directory under workspace/skills/.
  4. Report on ClawHub / community channels; for vulnerabilities in core OpenClaw, use GitHub Security.

FAQ

Does VirusTotal mean a skill is safe? No—it means it passed automated checks. Still read the code.

Can I use skills without ClawHub? Yes—copy skills into your workspace manually; same review rules apply.

Are official OpenClaw skills safer? Skills bundled with docs or well-known repos are easier to audit; community skills vary.

Related