← Back to Skills Marketplace
ClawHub Integration
by
piuaibot-stack
· GitHub ↗
· v1.0.0
· MIT-0
46
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install clawhub-integration
Description
Use when browsing, searching, installing, or publishing skills to ClawHub (OpenClaw skill registry). ClawHub is like npm for AI agent skills.
README (SKILL.md)
ClawHub Integration
ClawHub (clawhub.ai) is the skill registry for OpenClaw agents — like npm but for AI agent skills.
Base URL
https://clawhub.ai/api/v1
Authentication
- Token format:
clh_\x3Ctoken>as Bearer token - Generate token: Login at clawhub.ai → Settings → API Tokens
- Store in env:
CLAWHUB_TOKEN=clh_xxx - Validate:
GET /api/v1/whoami
curl -H "Authorization: Bearer $CLAWHUB_TOKEN" https://clawhub.ai/api/v1/whoami
Security Considerations
When working with API tokens, especially in automated environments or with AI agents, be aware of the following security considerations:
-
Token Storage: Never store tokens directly in scripts or commands. Use environment variables or secure credential storage.
-
Secure Token Usage:
# Read token from secure file or environment variable
TOKEN=$(cat ~/.secure/clawhub_token)
curl -H "Authorization: Bearer $TOKEN" https://clawhub.ai/api/v1/whoami
# Or use environment variable
curl -H "Authorization: Bearer $CLAWHUB_TOKEN" https://clawhub.ai/api/v1/whoami
-
Security Scanning: Many environments now scan for exposed credentials. If you encounter security warnings:
- Do not bypass security checks
- Use proper credential management practices
- Store tokens in secure files with restricted permissions (chmod 600)
- Use credential helpers when available
-
Token Permissions: Ensure your token has only the minimum required permissions for the tasks you need to perform.
Search Skills (No auth needed)
# Search by keyword
curl "https://clawhub.ai/api/v1/search?q=github+automation"
# List all skills
curl "https://clawhub.ai/api/v1/skills"
# Get specific skill
curl "https://clawhub.ai/api/v1/skills/{slug}"
# Download skill
curl "https://clawhub.ai/api/v1/download?slug=my-skill" -o skill.zip
Install via CLI
# Install clawhub
pip install clawhub
# or: npm i -g clawhub
# Login
clawhub login # browser OAuth via GitHub
clawhub login --token clh_xxx # headless token login
# Browse & Install
clawhub search "calendar" # search by keyword
clawhub explore # list recently updated
clawhub inspect \x3Cslug> # preview before install
clawhub install \x3Cslug> # download and install
clawhub list # show installed skills
clawhub update [slug] # update skill
clawhub uninstall \x3Cslug> # remove skill
Publish a Skill
# Via CLI
clawhub skill publish ./my-skill-folder
# Via API (multipart form)
curl -X POST https://clawhub.ai/api/v1/skills \
-H "Authorization: Bearer $CLAWHUB_TOKEN" \
-F "slug=my-skill" \
-F "version=1.0.0" \
-F "files[][email protected]"
SKILL.md Format for Publishing
---
name: skill-name
description: What this skill does and when to use it
version: 1.0.0
author: Kintama
license: MIT
metadata:
hermes:
tags: [tag1, tag2]
related_skills: [other-skill]
required_env:
- API_KEY
required_binaries:
- python3
---
# Skill Name
Content here...
Rate Limits
- Anonymous: 180 reads/min, 45 writes/min
- Authenticated: 900 reads/min, 180 writes/min
Environment Variables
CLAWHUB_TOKEN=clh_xxx # API token
CLAWHUB_REGISTRY= # Override registry URL (optional)
CLAWHUB_DISABLE_TELEMETRY=1 # Disable tracking
Usage Guidance
This skill appears to be a legitimate ClawHub integration, but there are a few things to check before using it:
- Metadata mismatch: the SKILL.md expects CLAWHUB_TOKEN and related env vars but the skill metadata does not declare them. Treat that as a correctness/attention issue.
- Least-privilege token: if you provide CLAWHUB_TOKEN to an agent or environment, create a token limited to only the scopes you need (prefer read-only for browsing/searching). Avoid giving a token that can publish or delete unless necessary.
- Avoid global env leakage: don't place tokens in widely accessible/global environment files. Use a secure credential store or a file with strict permissions (chmod 600) as suggested in the doc.
- Autonomous risk: because the agent can invoke this skill autonomously, if it has access to a token it could modify registry contents. If you want to allow only manual operations, avoid storing the token in the agent environment or disable autonomous invocation for the agent.
- Verify CLI packages: if you run pip install clawhub or npm i -g clawhub, verify the package source and maintainer before installing globally.
- Verify ownership and endpoints: the SKILL.md points to https://clawhub.ai/api/v1 and an owner id but no homepage/source repository is provided; consider verifying the registry/site and owner identity before publishing or installing sensitive packages.
If you need higher assurance, ask the skill author to update metadata to declare CLAWHUB_TOKEN as a required credential, provide a homepage/source link, and document recommended token scopes. Revoke any token you hand to the agent if you later suspect misuse.
Capability Analysis
Type: OpenClaw Skill
Name: clawhub-integration
Version: 1.0.0
The skill bundle provides standard documentation and integration instructions for ClawHub, a skill registry for OpenClaw agents. It includes legitimate API endpoints (clawhub.ai), CLI commands, and proactive security guidance for managing API tokens, with no evidence of malicious intent, data exfiltration, or prompt injection.
Capability Tags
Capability Assessment
Purpose & Capability
The name/description match the instructions (search, install, publish against clawhub.ai). However the skill metadata declares no required environment variables or primary credential while the SKILL.md clearly documents and expects a CLAWHUB_TOKEN and optional CLAWHUB_REGISTRY and CLAWHUB_DISABLE_TELEMETRY. That mismatch is inconsistent and should be corrected or explained.
Instruction Scope
The runtime instructions stay on-topic: curl examples, CLI usage, publish API examples, and a recommended SKILL.md format. They do instruct reading a local secure file (~/.secure/clawhub_token) or environment variables for the token, which is appropriate for this purpose. No instructions attempt to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The document suggests installing third-party CLIs via pip or npm (pip install clawhub or npm i -g clawhub) — expected but users should verify the package source before installing globally.
Credentials
Although the skill metadata lists no required env vars, the instructions expect CLAWHUB_TOKEN (clh_...) and optionally CLAWHUB_REGISTRY and CLAWHUB_DISABLE_TELEMETRY. A token grants authenticated capabilities (including publishing, updating, uninstalling) on the registry; requiring or using such a credential is proportionate to the publish/install purpose, but the omission from metadata and lack of explicit minimization of token scopes is a red flag—tokens should be least-privilege and declared in metadata.
Persistence & Privilege
The skill is not always:true and does not request persistent installation, which is good. However, because the instructions rely on an API token and the skill is allowed to be invoked autonomously, an agent with access to a CLAWHUB_TOKEN could programmatically install/uninstall/publish skills (a high-impact capability). This combination (autonomy + credential access) increases risk and should be considered before granting tokens to the agent.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install clawhub-integration - After installation, invoke the skill by name or use
/clawhub-integration - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of ClawHub Integration skill.
- Provides comprehensive instructions for searching, installing, and publishing skills to ClawHub (OpenClaw skill registry).
- Includes detailed authentication, security best practices, rate limits, and environment variable guidance.
- Offers CLI and API usage examples for browsing, installing, and publishing skills.
- Documents the expected SKILL.md format for publishing to ClawHub.
Metadata
Frequently Asked Questions
What is ClawHub Integration?
Use when browsing, searching, installing, or publishing skills to ClawHub (OpenClaw skill registry). ClawHub is like npm for AI agent skills. It is an AI Agent Skill for Claude Code / OpenClaw, with 46 downloads so far.
How do I install ClawHub Integration?
Run "/install clawhub-integration" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ClawHub Integration free?
Yes, ClawHub Integration is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ClawHub Integration support?
ClawHub Integration is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ClawHub Integration?
It is built and maintained by piuaibot-stack (@piuaibot-stack); the current version is v1.0.0.
More Skills