← 返回 Skills 市场

ClawHub Integration

Name: ClawHub Integration
Author: piuaibot-stack

作者 piuaibot-stack · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install clawhub-integration

功能描述

Use when browsing, searching, installing, or publishing skills to ClawHub (OpenClaw skill registry). ClawHub is like npm for AI agent skills.

使用说明 (SKILL.md)

ClawHub Integration

ClawHub (clawhub.ai) is the skill registry for OpenClaw agents — like npm but for AI agent skills.

Base URL

https://clawhub.ai/api/v1

Authentication

Token format: clh_\x3Ctoken> as Bearer token
Generate token: Login at clawhub.ai → Settings → API Tokens
Store in env: CLAWHUB_TOKEN=clh_xxx
Validate: GET /api/v1/whoami

curl -H "Authorization: Bearer $CLAWHUB_TOKEN" https://clawhub.ai/api/v1/whoami

Security Considerations

When working with API tokens, especially in automated environments or with AI agents, be aware of the following security considerations:

Token Storage: Never store tokens directly in scripts or commands. Use environment variables or secure credential storage.
Secure Token Usage:

# Read token from secure file or environment variable
TOKEN=$(cat ~/.secure/clawhub_token)
curl -H "Authorization: Bearer $TOKEN" https://clawhub.ai/api/v1/whoami

# Or use environment variable
curl -H "Authorization: Bearer $CLAWHUB_TOKEN" https://clawhub.ai/api/v1/whoami

Security Scanning: Many environments now scan for exposed credentials. If you encounter security warnings:
- Do not bypass security checks
- Use proper credential management practices
- Store tokens in secure files with restricted permissions (chmod 600)
- Use credential helpers when available
Token Permissions: Ensure your token has only the minimum required permissions for the tasks you need to perform.

Search Skills (No auth needed)

# Search by keyword
curl "https://clawhub.ai/api/v1/search?q=github+automation"

# List all skills
curl "https://clawhub.ai/api/v1/skills"

# Get specific skill
curl "https://clawhub.ai/api/v1/skills/{slug}"

# Download skill
curl "https://clawhub.ai/api/v1/download?slug=my-skill" -o skill.zip

Install via CLI

# Install clawhub
pip install clawhub
# or: npm i -g clawhub

# Login
clawhub login                     # browser OAuth via GitHub
clawhub login --token clh_xxx     # headless token login

# Browse & Install
clawhub search "calendar"         # search by keyword
clawhub explore                   # list recently updated
clawhub inspect \x3Cslug>            # preview before install
clawhub install \x3Cslug>            # download and install
clawhub list                      # show installed skills
clawhub update [slug]             # update skill
clawhub uninstall \x3Cslug>          # remove skill

Publish a Skill

# Via CLI
clawhub skill publish ./my-skill-folder

# Via API (multipart form)
curl -X POST https://clawhub.ai/api/v1/skills \
  -H "Authorization: Bearer $CLAWHUB_TOKEN" \
  -F "slug=my-skill" \
  -F "version=1.0.0" \
  -F "files[][email protected]"

SKILL.md Format for Publishing

---
name: skill-name
description: What this skill does and when to use it
version: 1.0.0
author: Kintama
license: MIT
metadata:
  hermes:
    tags: [tag1, tag2]
    related_skills: [other-skill]
required_env:
  - API_KEY
required_binaries:
  - python3
---

# Skill Name
Content here...

Rate Limits

Anonymous: 180 reads/min, 45 writes/min
Authenticated: 900 reads/min, 180 writes/min

Environment Variables

CLAWHUB_TOKEN=clh_xxx           # API token
CLAWHUB_REGISTRY=               # Override registry URL (optional)
CLAWHUB_DISABLE_TELEMETRY=1     # Disable tracking

安全使用建议

This skill appears to be a legitimate ClawHub integration, but there are a few things to check before using it: - Metadata mismatch: the SKILL.md expects CLAWHUB_TOKEN and related env vars but the skill metadata does not declare them. Treat that as a correctness/attention issue. - Least-privilege token: if you provide CLAWHUB_TOKEN to an agent or environment, create a token limited to only the scopes you need (prefer read-only for browsing/searching). Avoid giving a token that can publish or delete unless necessary. - Avoid global env leakage: don't place tokens in widely accessible/global environment files. Use a secure credential store or a file with strict permissions (chmod 600) as suggested in the doc. - Autonomous risk: because the agent can invoke this skill autonomously, if it has access to a token it could modify registry contents. If you want to allow only manual operations, avoid storing the token in the agent environment or disable autonomous invocation for the agent. - Verify CLI packages: if you run pip install clawhub or npm i -g clawhub, verify the package source and maintainer before installing globally. - Verify ownership and endpoints: the SKILL.md points to https://clawhub.ai/api/v1 and an owner id but no homepage/source repository is provided; consider verifying the registry/site and owner identity before publishing or installing sensitive packages. If you need higher assurance, ask the skill author to update metadata to declare CLAWHUB_TOKEN as a required credential, provide a homepage/source link, and document recommended token scopes. Revoke any token you hand to the agent if you later suspect misuse.

功能分析

Type: OpenClaw Skill Name: clawhub-integration Version: 1.0.0 The skill bundle provides standard documentation and integration instructions for ClawHub, a skill registry for OpenClaw agents. It includes legitimate API endpoints (clawhub.ai), CLI commands, and proactive security guidance for managing API tokens, with no evidence of malicious intent, data exfiltration, or prompt injection.

能力标签

requires-oauth-tokenrequires-sensitive-credentials

能力评估

ℹ Purpose & Capability

The name/description match the instructions (search, install, publish against clawhub.ai). However the skill metadata declares no required environment variables or primary credential while the SKILL.md clearly documents and expects a CLAWHUB_TOKEN and optional CLAWHUB_REGISTRY and CLAWHUB_DISABLE_TELEMETRY. That mismatch is inconsistent and should be corrected or explained.

✓ Instruction Scope

The runtime instructions stay on-topic: curl examples, CLI usage, publish API examples, and a recommended SKILL.md format. They do instruct reading a local secure file (~/.secure/clawhub_token) or environment variables for the token, which is appropriate for this purpose. No instructions attempt to read unrelated system files or exfiltrate data to unexpected endpoints.

ℹ Install Mechanism

There is no install spec (instruction-only), which is low-risk. The document suggests installing third-party CLIs via pip or npm (pip install clawhub or npm i -g clawhub) — expected but users should verify the package source before installing globally.

⚠ Credentials

Although the skill metadata lists no required env vars, the instructions expect CLAWHUB_TOKEN (clh_...) and optionally CLAWHUB_REGISTRY and CLAWHUB_DISABLE_TELEMETRY. A token grants authenticated capabilities (including publishing, updating, uninstalling) on the registry; requiring or using such a credential is proportionate to the publish/install purpose, but the omission from metadata and lack of explicit minimization of token scopes is a red flag—tokens should be least-privilege and declared in metadata.

⚠ Persistence & Privilege

The skill is not always:true and does not request persistent installation, which is good. However, because the instructions rely on an API token and the skill is allowed to be invoked autonomously, an agent with access to a CLAWHUB_TOKEN could programmatically install/uninstall/publish skills (a high-impact capability). This combination (autonomy + credential access) increases risk and should be considered before granting tokens to the agent.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install clawhub-integration
安装完成后，直接呼叫该 Skill 的名称或使用 /clawhub-integration 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of ClawHub Integration skill. - Provides comprehensive instructions for searching, installing, and publishing skills to ClawHub (OpenClaw skill registry). - Includes detailed authentication, security best practices, rate limits, and environment variable guidance. - Offers CLI and API usage examples for browsing, installing, and publishing skills. - Documents the expected SKILL.md format for publishing to ClawHub.

元数据

Slug clawhub-integration

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题