How to Install OpenClaw Skills from ClawHub and Other Sources

When VirusTotal began scanning every package published to ClawHub in February 2026, it surfaced hundreds of actively malicious skills across the registry's 13,700+ listings. That stat matters because skills run with the same permissions as your agent. A bad skill can read your environment variables, execute shell commands, or exfiltrate files without any visible prompt.

Each skill is a self-contained capability package built around a SKILL.md definition file. The range is wide: simple utilities like weather lookups and file formatters sit alongside complex workflows for browser automation, CI/CD pipelines, and database management. The ClawHub registry hosts over 13,700 community-contributed and official skills, making it the primary discovery source. You can also install directly from Git repositories or local directories.

Skills run with the same permissions as your agent, which makes installation a security decision, not just a convenience choice. This guide separates finding, installing, configuring, and verifying skills across all four sources so you can make informed choices at each step.

ClawHub provides two discovery paths: the command-line interface and the web UI at clawhub.ai.

The CLI supports natural language queries from the terminal:

clawhub search "postgres backups"

Results return the skill slug, star count, download count, and a one-line description. Natural language queries tend to work better than exact package names because the search uses vector matching.

The web interface adds more context. Each skill page shows the full readme, version history, install stats, and a security scan summary. Since February 2026, every published skill gets an automatic VirusTotal scan. The scan result appears on the skill page before you install: benign, suspicious, or malicious. Skills flagged as suspicious remain available but carry a visible warning.

You can also explore skills by category using clawhub package explore --family <category> or inspect a specific package with clawhub package inspect <slug>. Both are useful when you know the general problem area but not the exact skill name.

What to check before installing:

• Read the full SKILL.md, not just the one-line description
• Check the VirusTotal scan status on the skill page
• Look at download count and star count for social proof
• Review the scripts/ directory if one exists
• Check how recently the skill was updated

For skills you plan to use in production, pay attention to the metadata block in the skill's frontmatter. It declares what binaries, environment variables, and platform constraints the skill requires, which determines whether the skill will actually load on your machine.

OpenClaw supports four installation sources. Each serves a different use case.

1. ClawHub Registry

The most common method. Use the skill's slug from the registry:

openclaw skills install <skill-slug>

This installs into the current workspace's skills/ directory. To install globally so every agent session can access the skill:

openclaw skills install <skill-slug> --global

Global installs land in ~/.openclaw/skills/. The ClawHub CLI offers the same functionality:

clawhub install <slug>

The CLI records version info in .clawhub/lock.json, which makes reproducible environments easier to manage.

2. Git Repositories

For skills hosted on GitHub or other Git providers that are not published to ClawHub:

openclaw skills install git:owner/repo@ref

The @ref part is optional but recommended. Pin to a tag or commit hash rather than a branch name. Branch references can change underneath you, which breaks reproducibility and introduces security risk.

3. Local Paths

For skills you are developing or ones you downloaded manually:

openclaw skills install ./path/to/skill --as my-tool

The --as flag lets you assign a custom name. This is useful when testing skill variations or when the folder name does not match the intended skill name.

4. Manual Placement

You can also drop a skill folder directly into any of the six skill directories. Create a folder with a valid SKILL.md file and OpenClaw picks it up on the next session. No install command needed.

This method skips the dangerous-code scanner that the gateway runs on CLI installs, so only use it for skills you wrote yourself or have reviewed line by line.

Give your OpenClaw agent a persistent workspace

50GB free storage with MCP access, no credit card. Your skills generate files, Fast.io stores, indexes, and shares them.

Sign Up Free

OpenClaw checks six locations for skills, in this order. When two skills share a name, the higher-priority location wins.

1. Workspace skills at <workspace>/skills/
2. Project agent skills at <workspace>/.agents/skills/
3. Personal agent skills at ~/.agents/skills/
4. Managed/local skills at ~/.openclaw/skills/
5. Bundled skills shipped with the OpenClaw installation
6. Extra directories listed in the skills.load.extraDirs config setting

This precedence matters when you want to override a bundled skill or test a modified version of a community skill. Place your override in the workspace skills/ folder and it takes priority over the same-named skill in ~/.openclaw/skills/ or the bundled set.

Controlling Which Skills Load

By default, all bundled skills auto-load. To restrict this, set an allowlist under skills.entries.allowBundled in your openclaw.json:

{
  "skills": {
    "entries": {
      "allowBundled": [
        "github", "tmux", "session-logs",
        "clawhub", "healthcheck"
      ]
    }
  }
}

Only the listed skills will load from the bundled set. Community-installed and workspace-level skills load independently of this setting.

Gating Requirements

Skills can declare what they need to run. The metadata block in SKILL.md frontmatter supports several gating fields:

• requires.bins: binaries that must exist on the host (checked at load time)
• requires.anyBins: at least one of these binaries must be present
• requires.env: environment variables that must be set
• requires.config: config paths that must exist in openclaw.json
• os: platform filter (darwin, linux, win32)

If a gating check fails, the skill silently stays unloaded rather than throwing an error. OpenClaw snapshots the eligible skill set at session start, so you will only see skills whose gates passed when you begin a new session. You can also disable a specific skill through config by setting skills.entries.<name>.enabled: false in your openclaw.json.

The VirusTotal integration is a meaningful improvement, but it does not eliminate risk. A Snyk audit of 3,984 ClawHub skills found 283 with critical security flaws that exposed credentials, roughly 7% of the sample. Prompt injection payloads, obfuscated data exfiltration, and social engineering in skill instructions can all pass a static scan.

Pre-install checks (automated):

OpenClaw's gateway runs a built-in dangerous-code scanner before executing any installer metadata from a CLI install. Critical findings block the install by default. The scanner checks for shell command execution, network access patterns, and file system operations that fall outside expected skill behavior.

Pre-install checks (manual):

Read the SKILL.md file before installing. Look for Bash tool calls that download and execute remote code, environment variable reads that could leak credentials, and instructions that ask the agent to bypass confirmation prompts. Check the scripts/ directory for anything that runs at install time.

Post-install verification:

After installing, use clawhub list to see all tracked packages. OpenClaw snapshots the eligible skill set when a session starts, so you can start a new session and observe which skills load based on whether their gating requirements (binaries on PATH, environment variables set, correct OS) are satisfied. If a skill you installed does not appear, its gates are failing silently.

Path containment:

OpenClaw validates that workspace skill directories resolve to paths inside the configured workspace root. Symlinks pointing outside the workspace are rejected unless you explicitly trust the target path via the skills.load.allowSymlinkTargets configuration option. This prevents a skill from tricking the loader into reading files from arbitrary locations on disk.

Permission scoping:

When running skills from untrusted sources, scope the agent's tool permissions. A web research skill should not need file write or shell access. Grant only what the skill's stated purpose requires, and review the skill's metadata.openclaw.requires block to understand what system access it declares upfront.

Keeping Skills Current

Update all installed skills at once:

openclaw skills update --all

Or target a specific skill:

openclaw skills update <skill-slug>

Add --global to either command to update globally installed skills:

openclaw skills update --all --global

ClawHub re-scans all active skills daily, so an update might also pull in improved security verdicts.

Removing Skills

Delete the skill's folder from the appropriate directory. For workspace installs, remove the folder from <workspace>/skills/<skill-name>/. For global installs, remove it from ~/.openclaw/skills/<skill-name>/. The skill disappears from the next session.

Common Issues

Skill not loading after install: Start a new session and check whether the skill appears. If it does not, a gating requirement likely failed. Verify that required binaries are on your PATH, environment variables are set, and your OS matches the skill's platform filter. You can also check clawhub list to confirm the package is tracked.

Wrong skill version loading: A workspace-level skill with the same name shadows a global one. Check all six precedence locations for duplicates.

Nested folder structure: After manual extraction, verify the path is skills/<skill-name>/SKILL.md, not skills/<skill-name>/<skill-name>/SKILL.md. An extra nesting level prevents the loader from finding the frontmatter.

Migrating from Codex: If you are coming from a Codex-based setup, OpenClaw provides migration commands:

openclaw migrate plan codex
openclaw migrate codex --skill <name>

The first command shows what would change. The second executes the migration for a specific skill.

Where Agent Output Goes

Once your skills are installed and running, your agent generates files: reports, code, data extracts, processed documents. Those files need somewhere persistent to live, especially if you are handing off work to a human or another agent.

Fast.io provides free workspaces for OpenClaw agents built for exactly this handoff. Agents connect through the MCP server or REST API to store files, and humans access the same workspace through a browser. Intelligence Mode auto-indexes everything for semantic search and RAG queries. The free agent plan includes 50GB of storage, 5,000 monthly credits, and 5 workspaces with no credit card required. If your OpenClaw agent creates files that other people need to find, review, or act on, a shared workspace removes the friction of manual file transfers.