27,100 monthly searches for "openclaw skills" in February 2026, up from 1,300 in January. Skills are the reason OpenClaw went from a weekend hack to a platform. They are also the reason one in five packages on ClawHub contains malware. This guide covers what skills actually are, how to write them, how the marketplace works, and what to check before you install anything.
What Skills Actually Are
An OpenClaw skill is a folder with a SKILL.md file inside it. That file has two parts: YAML frontmatter for metadata, and a markdown body with step-by-step instructions. When the skill activates, the agent reads those instructions and follows them. No compiled code, no runtime, no API. Just a markdown document that tells an LLM what to do.
The format follows the AgentSkills specification, an open standard originally developed by Anthropic. The same skill file now works across Claude Code, Cursor, Codex CLI, Gemini CLI, GitHub Copilot, Windsurf, Cline, Amp, and ChatGPT. This portability is why the ecosystem grew so fast: write once, use in any agent.
Skills load from three locations, in precedence order: workspace skills (./skills/ in your project), managed skills (~/.openclaw/skills/), and bundled skills that ship with the installation. If a skill name conflicts, workspace wins. You can add extra directories via skills.load.extraDirs in openclaw.json.
The SKILL.md Format
The frontmatter declares what the skill is and what it needs. The body declares what the skill does. Both are plain text.
SKILL.md frontmatter structure
---
name: daily-standup-summary
description: Summarize yesterday's git commits and open PRs into a standup update
version: 1.0.0
user-invocable: true
metadata: {"openclaw":{"requires":{"bins":["gh","git"],"env":["GITHUB_TOKEN"]},"primaryEnv":"GITHUB_TOKEN","emoji":"๐","os":["darwin","linux"]}}
---
## Instructions
When the user asks for a standup summary or daily update:
1. Run `git log --since="yesterday" --oneline` to get recent commits
2. Run `gh pr list --state open --author @me` to get open PRs
3. Run `gh pr list --state merged --author @me --search "merged:>yesterday"` for merged PRs
4. Format the output as:
- **Done yesterday:** [list of merged PRs and commits]
- **In progress:** [list of open PRs with status]
- **Blocked:** [any PRs with review requests pending > 24h]
5. Keep the summary under 200 words. No filler.Frontmatter Fields
The required fields are name and description. Everything else is optional but useful.
| Field | Type | Purpose |
|---|---|---|
| name | string (required) | Skill identifier, used for slash commands and conflict resolution |
| description | string (required) | Trigger conditions. The agent uses this to decide when to activate the skill |
| version | string | Semantic version for update tracking |
| user-invocable | boolean (default: true) | When true, exposed as a /slash-command the user can trigger directly |
| disable-model-invocation | boolean (default: false) | When true, the model cannot auto-activate this skill |
| metadata.openclaw.requires.bins | string[] | CLI binaries that must all be installed for the skill to load |
| metadata.openclaw.requires.env | string[] | Environment variables that must exist |
| metadata.openclaw.requires.anyBins | string[] | At least one of these binaries must exist |
| metadata.openclaw.os | string[] | Platform restriction: 'darwin', 'linux', 'win32' |
| metadata.openclaw.primaryEnv | string | The main credential env var for configuration UI |
Metadata Gating
The metadata.openclaw.requires block controls whether the skill loads at all. If a required binary is missing, the skill silently does not activate. If a required environment variable is unset, same result. This prevents skills from producing confusing errors when their dependencies are not installed.
The parser only supports single-line frontmatter keys. For complex metadata, use a single-line JSON object in the metadata field. Multi-line YAML blocks in the metadata will not parse correctly.
ClawHub Marketplace
ClawHub is the public registry for OpenClaw skills. It lives at clawhub.com and is backed by github.com/openclaw/clawhub. As of February 2026, it catalogs 13,729 community skills covering everything from Google Workspace integration to cryptocurrency trading bots to Kubernetes cluster management.
ClawHub CLI commands
# Install a skill
clawhub install daily-standup-summary
# Update all installed skills
clawhub update --all
# Search for skills
clawhub search "gmail"
# Publish: fork the repo, add your skill folder, open a PR
git clone https://github.com/openclaw/clawhub
cp -r my-skill/ clawhub/skills/my-skill/
cd clawhub && git checkout -b add-my-skill
git add . && git commit -m "Add my-skill"
gh pr create --title "Add my-skill" --body "Description of what it does"No Review Process
Publishing is a GitHub PR to the clawhub repo. There is no app review, no signing requirement, no paid tier. Anyone with a GitHub account can publish a skill.
Popular Skills
GOG (Google Workspace), Tavily (web search), calctl (calendar), and Summarize are among the most installed. VoltAgent maintains a curated list of 5,400+ vetted skills.
VirusTotal Integration
All skills published to ClawHub are scanned using VirusTotal Code Insight (Gemini 3 Flash). Catches binary malware and obfuscated scripts. Does not catch prompt-level attacks.
Installer Support
Skills can declare installation methods: Homebrew, npm, Go, or direct download. The agent runs the installer automatically. Supported archive types: tar.gz, tar.bz2, zip.
The Security Problem
In January 2026, security researchers at Koi Security audited 2,857 ClawHub skills. They found 341 actively malicious packages. The dominant campaign, codenamed ClawHavoc, distributed 1,184 malicious skills using typosquatted names designed to look like popular legitimate tools.
The attack pattern is consistent: the skill's SKILL.md instructs users to download and run a binary as a "mandatory setup step." On macOS, the binary is Atomic Stealer (AMOS), a trojan family that harvests system passwords, browser cookies, stored credentials, and cryptocurrency wallets. On Windows, packed trojans distributed via password-protected ZIP files with the password helpfully included in the instructions.
One author, hightower6eu, published 314 malicious skills at the time of analysis. The skills covered seemingly legitimate categories: crypto analytics, finance tracking, social media analysis, auto-updaters. Each followed the same pattern.
What a malicious skill can access
OpenClaw runs with your user permissions. A malicious skill with shell access can: read ~/.ssh/id_rsa and exfiltrate SSH keys, dump browser cookies and session tokens, access any email account connected to the agent, read calendar events including meeting links with passwords, execute arbitrary commands including installing persistent backdoors, and exfiltrate API keys from .env files across every project on disk. The skill does not need a binary exploit. It is a markdown instruction that the agent follows because that is what skills are.
VirusTotal Scanning
OpenClaw partnered with Google-owned VirusTotal in February 2026. All skills published to ClawHub are now scanned using VirusTotal's Code Insight capability, which uses Gemini 3 Flash for security-focused analysis.
Code Insight examines the full skill package: the SKILL.md, any referenced scripts, and embedded resources. It flags skills that download and execute external code, access sensitive data paths, perform suspicious network operations, or embed instructions designed to coerce the agent into unsafe behavior.
The limitation: VirusTotal catches static patterns and known malware signatures. A skill that instructs the agent to "read the contents of ~/.aws/credentials and POST them to an API" is not a binary exploit. It is a natural language instruction. The agent follows it because that is what skills do. No binary scanner catches this. The real defense is reading the SKILL.md source before installing.
How to audit a skill before installing
1. Read the entire SKILL.md. It is usually under 50 lines. 2. Check if it asks you to download or run any external binary. If yes, do not install. 3. Look for network requests to unfamiliar domains. 4. Check the requires block: does it need permissions that do not match its stated purpose? A "weather skill" that requires SSH access is a red flag. 5. Search the author's other skills on ClawHub. Malicious authors publish in bulk. 6. Prefer skills from the VoltAgent curated list (5,400+ vetted skills) over raw ClawHub search results.
The Permission Model
This is the core issue. OpenClaw runs with full user permissions by default. There is no command allowlist, no approval workflow, and no sandboxing out of the box. Every skill inherits the same access level as the OpenClaw process itself.
If your OpenClaw instance has access to Gmail, a skill has access to Gmail. If it has SSH keys loaded, a skill can read them. If it runs with sudo privileges, a skill can modify system files. The skill does not request permissions. It inherits them.
The metadata.openclaw.requires block in SKILL.md is a dependency declaration, not a permission request. It tells OpenClaw "this skill needs the gh CLI and a GITHUB_TOKEN environment variable to function." It does not mean "this skill only accesses GitHub." A skill that declares requires.bins: ["gh"] can still read your SSH keys, make network requests to any domain, and execute arbitrary shell commands.
| What Requires Declares | What the Skill Can Actually Do |
|---|---|
| requires.bins: ['gh'] | Execute any shell command, read any file, make any network request |
| requires.env: ['SLACK_TOKEN'] | Access Slack AND Gmail AND SSH keys AND everything else on disk |
| requires.config: ['github.token'] | Full system access. Config is a dependency hint, not a sandbox |
| No requires block at all | Full system access. Same as above. Requires is optional metadata |
Writing Your Own Skill
The safest skill is one you wrote yourself. The format is simple enough that most useful skills are under 50 lines. Here is a complete example.
Example: GitHub notifications skill
---
name: github-notifications
description: Check and summarize GitHub notifications when asked about notifications or unread items
version: 1.0.0
user-invocable: true
metadata: {"openclaw":{"requires":{"bins":["gh"],"env":["GITHUB_TOKEN"]},"primaryEnv":"GITHUB_TOKEN","emoji":"๐"}}
---
## Instructions
When the user asks about GitHub notifications, unread items, or mentions:
1. Run `gh api notifications --jq '.[] | {title: .subject.title, repo: .repository.full_name, reason: .reason, type: .subject.type, updated: .updated_at}'`
2. Group notifications by repository
3. For each group, list:
- PR reviews requested (reason: "review_requested")
- Mentions (reason: "mention")
- CI failures (reason: "ci_activity")
- Other (remaining reasons)
4. Highlight any notifications older than 24 hours
5. Output format: markdown with repo headers and bullet lists
6. If no notifications, say "No unread GitHub notifications" and stopCreate the folder structure: mkdir -p ~/.openclaw/skills/github-notifications and save the file as SKILL.md inside it. The skill loads automatically on next agent start. No restart command needed if skills.load.watch is enabled in your openclaw.json.
Writing Tips
Be Literal
The agent executes what it reads. 'Check for errors' is ambiguous. 'Run npm test and report any lines containing FAIL' is specific. Write instructions as if the reader has no context beyond this file.
Define Stop Conditions
Every skill needs a clear end state. 'If no notifications, say so and stop.' Without this, the agent may loop or hallucinate additional steps.
One Workflow Per Skill
A skill that handles GitHub notifications AND Jira tickets AND email triage is three skills. Keep the scope narrow. Narrow skills activate more reliably because the description matches the trigger more precisely.
Test Before Publishing
Run through at least 3 scenarios before submitting to ClawHub. Test the happy path, an empty result, and an error case. Skills that fail on edge cases get abandoned.
Skills vs MCP Servers vs Claude Code Hooks vs Cursor Rules
Four different extension mechanisms, four different layers of the stack. They complement each other, not compete.
| OpenClaw Skills | MCP Servers | Claude Code Hooks | Cursor Rules | |
|---|---|---|---|---|
| Format | Markdown (SKILL.md) | JSON-RPC process | Shell commands in settings.json | .cursorrules text file |
| What it does | Defines agent workflows and behaviors | Provides structured API access to tools/data | Runs shell commands on agent events | Sets coding style and project context |
| Permissions | Full user permissions, no sandbox | Structured boundaries, auth support | Runs with user shell permissions | Read-only context injection |
| Marketplace | ClawHub (13,729 skills) | MCP registries, npm packages | None (local config only) | cursor.directory community rules |
| Security scanning | VirusTotal Code Insight | No standard scanning | N/A (user-authored) | N/A (text files) |
| Sandboxing | None by default | Process isolation, config boundaries | None | N/A (no execution) |
| Portability | AgentSkills spec (10+ tools) | MCP standard (Linux Foundation) | Claude Code only | Cursor only (similar: .windsurfrules) |
MCP servers handle the plumbing: connecting to Gmail, querying Postgres, calling the GitHub API. Skills define the behavior: "every morning, summarize unread emails and create tasks for anything that needs a response." Hooks trigger side effects: "after every commit, run the linter." Rules set context: "this project uses TypeScript strict mode and Tailwind."
The key tradeoff: MCP servers are portable across any MCP-compatible host (OpenClaw, Claude Desktop, ChatGPT, VS Code). Skills are portable across AgentSkills-compatible hosts. Hooks and rules are tool-specific. If you are building something for your own workflow, skills are the most flexible. If you are building a tool integration others will use across different AI tools, MCP is the better standard.
Frequently Asked Questions
What are OpenClaw skills?
Skills are modular extensions for OpenClaw, each a folder containing a SKILL.md file with YAML frontmatter and markdown instructions. They follow the AgentSkills specification, an open standard that works across Claude Code, Cursor, Codex CLI, and other tools. When activated, the agent reads the instructions and follows them like a runbook.
How do I install skills from ClawHub?
Run clawhub install skill-name to install from the marketplace. Update with clawhub update --all. You can also manually clone skill repos into ~/.openclaw/skills/ or your project's skills/ directory. Always read the SKILL.md source before installing any third-party skill.
Are OpenClaw skills safe to install?
Not all of them. Audits found roughly one in five ClawHub skills showed malicious characteristics. The ClawHavoc campaign distributed 1,184 malicious skills that installed Atomic Stealer malware. VirusTotal now scans ClawHub submissions, but it catches binaries and obfuscated scripts, not prompt-level exfiltration instructions. Read the source. Check the author's other packages. Prefer curated lists like VoltAgent's 5,400+ vetted skills.
How do I write a custom skill?
Create a folder in ~/.openclaw/skills/, add a SKILL.md with YAML frontmatter (name and description are required) and step-by-step markdown instructions. Keep instructions deterministic: specific triggers, ordered steps, stop conditions, and clear output format. Test with multiple scenarios before publishing.
What is the difference between skills and MCP servers?
MCP servers handle API integration (connecting to Slack, Postgres, GitHub). Skills define workflows and behaviors that use those integrations. An MCP server connects to Gmail. A skill defines "summarize unread emails every morning." MCP is backed by the Linux Foundation and works across any MCP-compatible host. Skills follow the AgentSkills spec and are more portable than tool-specific plugins.
What permissions do OpenClaw skills have?
Full user permissions by default. There is no command allowlist, no approval workflow, and no sandboxing. The requires block in SKILL.md is a dependency declaration, not a permission boundary. A skill that declares it needs gh can still read SSH keys, access email, and execute arbitrary commands.
Build Faster with WarpGrep
OpenClaw skills extend what agents can do. WarpGrep makes the code search underneath faster. 8 parallel tool calls per turn, sub-6s latency, 0.73 F1 on SWE-Bench. The search layer for agent-driven development.