ClawHub: The Ultimate Marketplace for OpenClaw Skills (2026 Guide)

Introduction: The Central Nervous System for Autonomous AI

ClawHub has officially become the central nervous system for autonomous AI agents, bridging the gap between raw LLM intelligence and real-world execution. If OpenClaw is the brain—capable of understanding natural language, reasoning through complex problems, and generating human-like responses—then ClawHub is the tool belt containing everything from social media API keys to cloud server wrenches. Without this marketplace, your AI agent remains trapped in a purely conversational sandbox, unable to send emails, scrape websites, or automate workflows across your digital infrastructure.

The ecosystem reached a watershed moment on March 2, 2026, when the registry officially surpassed 13,000 publicly available skills. However, this explosive growth came with a dark side. Last month’s discovery of the “ClawHavoc” malware campaign—which exposed 341 malicious skills designed to exfiltrate environment variables and inject backdoor prompts—has fundamentally altered the security landscape. Consequently, modern ClawHub users must balance velocity with vigilance, treating every skill installation as a potential attack vector rather than a simple npm package.

This technical authority guide will equip infrastructure architects and security auditors with the knowledge required to navigate ClawHub safely in 2026. Furthermore, we’ll dissect the anatomy of modern skills, master the CLI toolchain, analyze the VirusTotal Code Insight integration powered by Google’s Gemini model (learn more about Gemini’s capabilities on Google AI), and establish a defense-in-depth strategy that protects your AI agents without sacrificing functionality. In today’s AI Search Overviews: 2026 Survival Strategy, understanding how to leverage marketplace ecosystems like ClawHub has become essential for maintaining competitive advantage in the shifting AI landscape.

The Anatomy of a 2026 Skill: Understanding the SKILL.md Architecture

Modern ClawHub skills are built around a standardized SKILL.md file format that serves as both documentation and executable configuration. Unlike traditional package managers where code and metadata live in separate files, OpenClaw skills embed everything within a single Markdown document using YAML frontmatter and structured sections.

At the top of every SKILL.md file, you’ll find frontmatter variables enclosed in triple dashes. These variables are not merely decorative metadata—they control critical runtime behaviors. The disable-model-invocation flag, for instance, prevents the skill from making unauthorized API calls to external LLMs, which became a mandatory security control after the ClawHavoc incident. Skills that lack this flag or set it to false should trigger immediate red flags during your audit process.

Furthermore, the frontmatter now includes a signature field containing the SHA-256 hash of the skill’s core code sections. Every time you run clawhub update, the CLI verifies this hash against the registry’s canonical version. Should the hashes diverge, the update fails and logs a potential tampering event. This cryptographic verification system was introduced in OpenClaw v2026.2.25 specifically to address the “ClawJacked” vulnerability, where attackers performed man-in-the-middle attacks to inject malicious code during skill downloads.

Below the frontmatter, skills are organized into semantic sections: Description, Triggers, Tools, Examples, and Error Handling. The Triggers section is particularly important from a security perspective because it defines the natural language patterns that activate the skill. Overly broad triggers like “do anything with files” create attack surface for prompt injection, whereas specific triggers like “convert DOCX to PDF using pypdf” limit the blast radius of a compromised skill. Understanding these security fundamentals is as critical as understanding npm package security best practices.

Mastering the ClawHub CLI: A Technical Deep Dive

The ClawHub command-line interface serves as your primary interaction point with the global registry. Installation requires Node.js 16 or higher and begins with a single command: npm i -g clawhub. This places the clawhub binary in your global npm bin directory, typically /usr/local/bin on Unix systems or %APPDATA%\npm on Windows.

Once installed, the CLI exposes several critical commands that every infrastructure architect must understand. The clawhub search command queries the registry using keyword filters and sort parameters. For example, clawhub search --sort downloads returns skills ranked by popularity, which serves as a crude reputation metric. Skills with fewer than 100 downloads should be subjected to enhanced scrutiny, as attackers often publish malware under names similar to popular packages—a technique known as typosquatting.

When you’ve identified a skill for installation, clawhub install <slug> downloads the SKILL.md file and its dependencies to your local OpenClaw skills directory. Behind the scenes, this command performs several security checks. First, it validates the SHA-256 hash embedded in the skill’s frontmatter. Second, it queries VirusTotal’s Code Insight API to retrieve a behavioral analysis verdict. Third, it checks for known malicious domains or IP addresses in any URL references within the skill. Only after passing all three gates does the installation proceed.

Version control becomes critical when managing production AI agents. The --version flag allows you to pin specific skill versions: clawhub install github-orchestrator --version 2.1.3. This prevents automatic updates from introducing breaking changes or malicious code. In light of the ClawHavoc campaign, many enterprises have adopted a policy of freezing skill versions and only updating after completing manual security audits. The clawhub rollback <slug> command provides a safety net, allowing you to revert to the previous version if an update causes unexpected behavior.

Advanced users should familiarize themselves with the clawhub audit command, introduced in the February 2026 security patch. Running clawhub audit --local scans all installed skills against the latest threat intelligence feeds from VirusTotal and GitHub’s Advisory Database. The output includes a severity score (Low, Medium, High, Critical) and remediation guidance. Any skill flagged as “Critical” should be immediately uninstalled and reported to the ClawHub security team.

Installing ClawHub via npm: Prerequisites and Configuration

ClawHub’s distribution through npm (Node Package Manager) requires Node.js version 16 or higher, though version 18 or above is strongly recommended for optimal performance and security patch coverage.

Check Your Current Version:

Verify your current installation:

bash

node -v && npm -v
```

The first command displays your Node.js version, while the second confirms npm availability.

**Expected Output:**
```
v18.17.0
9.8.1

If Node.js isn’t installed or your version predates 16.x, download the latest LTS (Long Term Support) release from nodejs.org before proceeding.

Global Installation (Recommended):

Global npm installation represents the standard approach for ClawHub:

bash

npm i -g clawhub

The -g flag instructs npm to install into your global packages directory rather than a project-local node_modules folder. This global approach makes sense for ClawHub because it functions as a system-level tool—similar to git or docker—rather than a project-specific dependency.

Alternative Package Managers:

Alternative package managers provide identical functionality with different performance characteristics.

Yarn Installation:

bash

yarn global add clawhub

Uses Yarn’s global directory structure (typically ~/.yarn/global on Unix systems).

Pnpm Installation (Most Efficient):

bash

pnpm add -g clawhub

Pnpm offers the most disk-efficient option through its content-addressable storage system, deduplicating shared dependencies across all globally installed packages.

All three package managers—npm, Yarn, and pnpm—interoperate with the same ClawHub binary, so the choice depends on your existing toolchain preferences.

Corporate Proxy Configuration:

Corporate environments frequently require npm proxy configuration to traverse firewalls and content filters.

Configure your proxy settings globally:

bash

npm config set proxy http://proxy.company.com:8080
npm config set https-proxy http://proxy.company.com:8080

Replace the URL with your organization’s proxy server address. These settings persist across sessions and apply to all npm operations.

Private Registry Configuration:

Organizations maintaining private npm mirrors or Artifactory instances should verify registry configuration before installation.

Check your current registry:

bash

npm config get registry
```

**Expected output for public registry:**
```
https://registry.npmjs.org/

For private registry:

bash

npm config set registry https://artifactory.company.com/npm/

Misconfigured registry settings can cause installation to fail silently or pull outdated ClawHub versions from stale mirrors.

Verify Installation Success:

Verify successful installation:

bash

clawhub --version
```

**Expected output:**
```
2.4.1

If this command fails despite successful npm installation, refer to the “Troubleshooting: Fixing the ‘Missing: bin:clawhub’ Error” section above for PATH configuration guidance.

Understanding Global Directory Structure:

Understanding npm’s global directory structure helps diagnose installation issues:

bash

npm config get prefix

Typical outputs:

• Windows: C:\Users\YourUsername\AppData\Roaming\npm
• macOS/Linux: /usr/local or ~/.npm-global

This ensures ClawHub commands execute correctly across all terminal sessions.

Command Logic: clawhub install vs. clawhub search

Understanding the distinction between clawhub install <slug> and clawhub search --sort downloads is fundamental for efficient marketplace navigation. The search command performs read-only queries against the registry’s metadata index without downloading any files or modifying your local system. It returns a JSON array containing skill names, descriptions, download counts, author information, and security verdicts.

In contrast, the install command initiates a write operation that modifies your OpenClaw skills directory. Installation triggers the complete security validation pipeline described earlier, including hash verification, VirusTotal scanning, and dependency resolution. Notably, if you attempt to install a skill that already exists locally, the CLI will prompt you to either overwrite the existing version or cancel the operation. After installation, you can customize these skills further using techniques outlined in our OpenClaw Agents: The Add-Command Blueprint guide.

Version Control: Using the –version Flag

Rolling back skills after a failed update requires understanding the version control semantics built into the ClawHub CLI. When you run clawhub install github-orchestrator --version 2.1.3, the CLI queries the registry’s historical version index rather than fetching the latest release. This historical index is immutable—once a version is published, it cannot be altered or deleted, which provides auditability and reproducibility.

Each skill version is tagged with a semantic version number (major.minor.patch) and a Git commit hash that references the exact state of the source repository at publication time. This dual-versioning system allows you to trace any skill back to its original source code. For organizations maintaining private ClawHub registries, this integration with Git workflows makes it possible to implement GitOps-style deployment pipelines where skill updates flow through the same code review and CI/CD processes as application code.

Fixing the “Missing: bin:clawhub” Error

The “missing: bin:clawhub” error ranks among the most frequently encountered installation issues, particularly on Windows 11 systems where PATH environment variables don’t always refresh immediately after global npm installations. When you run npm i -g clawhub successfully but receive “command not found” or “missing: bin:clawhub” errors upon executing clawhub commands, the root cause typically involves your system’s inability to locate the globally installed binary.

Windows Quick Fix:

On Windows systems, the solution begins with restarting your terminal completely—not just opening a new tab, but closing PowerShell or Command Prompt entirely and relaunching it. Windows caches environment variables aggressively, and PATH updates won’t propagate to existing shell sessions.

If the error persists after restart, manually verify your npm global bin directory:

bash

npm config get prefix

This command returns the path where npm installs global packages, typically C:\Users\YourUsername\AppData\Roaming\npm on Windows or /usr/local on Unix systems.

Navigate to System Properties > Environment Variables > Path and confirm that your npm prefix path appears in the list. If it’s missing, add it manually, click OK to save, then restart your terminal again.

Quick Workaround (No PATH Required):

Alternatively, you can bypass PATH issues entirely by using npx:

bash

npx clawhub search --sort downloads

This executes ClawHub commands without requiring global installation.

macOS and Linux Solutions:

On macOS and Linux, the issue often stems from shell configuration files.

For bash users, add this to your ~/.bashrc:

bash

export PATH="$PATH:$(npm config get prefix)/bin"

For zsh users (macOS default since Catalina), add the same line to ~/.zshrc:

bash

export PATH="$PATH:$(npm config get prefix)/bin"

After editing, reload your shell configuration:

bash

source ~/.zshrc

Or simply open a new terminal window.

Fixing Permission Errors:

Permission errors represent another common variant. On Unix systems, avoid using sudo:

bash

# DON'T DO THIS
sudo npm i -g clawhub

This installs the package with root ownership, causing permission conflicts. Instead, configure npm to use a user-owned directory:

bash

mkdir ~/.npm-global
npm config set prefix '~/.npm-global'

Then add ~/.npm-global/bin to your PATH in ~/.bashrc or ~/.zshrc:

bash

export PATH="$PATH:~/.npm-global/bin"

Corporate Proxy Configuration:

For organizations behind corporate proxies or using custom npm registries, verify your npm configuration:

bash

npm config set proxy http://proxy.company.com:8080
npm config set https-proxy http://proxy.company.com:8080

Confirm you’re pulling from the standard npm registry:

bash

npm config get registry

This should return https://registry.npmjs.org/

Complete Reinstallation (Nuclear Option):

If all troubleshooting fails, perform a complete reinstallation:

bash

npm uninstall -g clawhub
npm cache clean --force
npm i -g clawhub

Verify success:

bash

clawhub --version

This should display the installed version number without errors.

The “ClawHavoc” Crisis: Security Best Practices for 2026

The ClawHavoc malware campaign represented the first large-scale supply chain attack against the OpenClaw ecosystem. Attackers exploited the open-submission model of ClawHub by publishing skills with legitimate-sounding names like “gmail-enhanced” and “slack-pro-connector.” These malicious skills contained obfuscated JavaScript that exfiltrated AWS credentials, database connection strings, and API tokens from the host system’s environment variables.

VirusTotal Integration: Interpreting Security Verdicts

VirusTotal Integration now stands as the first line of defense against such threats. Every skill page on the ClawHub marketplace displays a security verdict: “Benign,” “Suspicious,” or “Malicious.” These verdicts are generated by VirusTotal’s Code Insight engine, powered by Google’s Gemini LLM. Unlike traditional signature-based antivirus solutions documented in VirusTotal’s API documentation, Code Insight analyzes the intent of a skill by understanding its natural language descriptions, code patterns, and API interactions.

A skill might contain perfectly valid Python code but receive a “Suspicious” verdict because its description promises “email automation” while its code makes network requests to unfamiliar domains. The verdict system operates on a weighted scoring model that considers multiple factors: static code analysis results from 70+ antivirus engines, behavioral indicators from sandbox execution, reputation scores based on author history, and semantic analysis of the skill’s documentation.

Interpreting these verdicts requires nuance. A “Benign” verdict with 0/70 detections provides strong confidence, but it’s not absolute proof of safety. Zero-day exploits and novel attack techniques may evade detection until signature databases update. Conversely, a “Suspicious” verdict with 2/70 detections might be a false positive caused by legitimate but unusual coding patterns—such as dynamically constructed shell commands or encrypted configuration files.

The “Local-First” Audit: A Security Checklist

However, automated scanning cannot catch every threat. Prompt injection attacks—where malicious instructions are hidden in the skill’s example prompts or trigger patterns—often evade static analysis. Consequently, the “Local-First” audit checklist has become mandatory for security-conscious organizations:

1. Read the SKILL.md file manually before installation. Pay special attention to external URLs, base64-encoded strings, and conditional logic that might alter behavior based on environment variables. Look for suspicious imports like eval(), exec(), or dynamic module loading via __import__().
2. Verify the author’s identity by cross-referencing their GitHub profile or organizational domain. Skills published by anonymous accounts should be treated as untrusted. Check whether the author has a verifiable track record of contributions to reputable open-source projects.
3. Check the dependency tree. Many skills import Python libraries or npm packages. Run npm audit or pip-audit on these dependencies separately. A skill might be perfectly safe, but if it depends on a compromised package, your entire agent becomes vulnerable.
4. Test in an isolated sandbox before deploying to production. Use Docker containers with restricted network access and no real credentials. Tools like Sandstorm or Firejail provide lightweight sandboxing for Linux environments.
5. Monitor runtime behavior using process-level auditing tools like auditd (Linux) or Sysmon (Windows). Unusual network connections or file system access patterns indicate compromise. Establish baseline metrics during testing and alert on anomalies.

Gateway Hardening: Securing the ClawHub Marketplace Interface

Gateway hardening has emerged as a critical configuration concern. By default, the ClawHub marketplace runs a local web server on 0.0.0.0:8080 to preview skills before installation. Binding to all interfaces (0.0.0.0) without authentication exposes your skill library to the entire network. An attacker who achieves lateral movement within your infrastructure could browse your installed skills, identify outdated versions with known vulnerabilities, and craft targeted exploits.

Best practice dictates binding to 127.0.0.1 (localhost only) and requiring bearer token authentication: clawhub serve --host 127.0.0.1 --token $(openssl rand -hex 32). This configuration ensures that only processes running on the same machine can access the marketplace interface, and even then, they must present a cryptographically random token. Store this token in a secure credential vault rather than hardcoding it in scripts or environment files.

For organizations that require remote access to the ClawHub marketplace—such as teams conducting collaborative skill evaluations—deploy a reverse proxy with mutual TLS authentication. NGINX or Traefik can terminate TLS connections, validate client certificates, and forward authenticated requests to the ClawHub backend. This architecture provides defense-in-depth by ensuring that even if an attacker compromises the ClawHub service, they cannot bypass the TLS authentication layer.

MolHub, ClawHub, and the Extension Registry Evolution (2020-2026)

Before ClawHub achieved marketplace dominance, MolHub served as the original skill registry for early OpenClaw adopters from 2020 through 2023. MolHub pioneered the concept of executable Markdown skills and established many conventions that ClawHub later inherited—including the SKILL.md format and the slug-based naming system.

However, MolHub’s fatal flaw was prioritizing growth velocity over security governance, a decision that ultimately led to its collapse and replacement.

The MolWorm Breach (August 2023):

The first major MolHub breach occurred in August 2023 when researchers discovered the “MolWorm” campaign—a coordinated attack where 89 malicious skills contained self-replicating code that automatically installed additional compromised skills from the registry.

MolHub’s lack of cryptographic verification meant that attackers could modify skills post-publication without detection. Users who installed gmail-helper on Monday might find that by Friday, the same skill had been silently updated to include credential harvesting code, with no audit trail or rollback mechanism.

Zero Moderation = Maximum Risk:

MolHub’s governance structure compounded these technical failures. The registry operated as a fully decentralized platform with zero moderation—anyone could publish any skill instantly without review.

While this approach accelerated the initial marketplace from zero to 3,000 skills within a year, it created an environment where malicious actors operated with impunity.

Typosquatting attacks flourished:

• slak-connector (one character off from Slack)
• githb-integration (one character off from GitHub)
• gmail-enhansed (common misspelling)

These appeared one character away from legitimate tools in search results.

The ClawHub Revolution (March 2024):

By early 2024, enterprise security teams began blacklisting MolHub entirely, forcing the OpenClaw Foundation to intervene. ClawHub launched in March 2024 with a radically different security model:

✅ SHA-256 hash verification for every skill version
✅ Mandatory author identity verification
✅ Bug bounty program
✅ “Verified” badge system requiring peer review

The migration from MolHub to ClawHub took nine months, with the OpenClaw Foundation running an automated security audit that flagged 2,847 suspicious skills for manual review.

Security Evolution Timeline:

Year	Event	Impact
2020	MolHub launches	Zero security, rapid growth
2023	MolWorm breach	89 malicious skills, self-replicating malware
2024	ClawHub replaces MolHub	SHA-256 verification, identity checks
2026	ClawHavoc discovered	341 malicious skills, but contained quickly

Lessons Learned:

The lessons learned from MolHub’s failure shaped ClawHub’s 2026 security posture:

1. Cryptographic signatures – Every clawhub update command now verifies signatures before applying changes
2. Centralized governance – Mandatory security updates can be pushed to all users
3. Private registry support – The CLAWHUB_REGISTRY environment variable pattern emerged

Example private registry configuration:

bash

export CLAWHUB_REGISTRY="https://your-private-repo.com"

The “ClawJacked” Vulnerability:

The “ClawJacked” vulnerability—discovered in January 2026—would have been catastrophic under MolHub’s architecture but was quickly patched in ClawHub due to centralized governance that could push mandatory security updates.

Private Registries: The Enterprise Solution:

Organizations now understand that relying solely on public marketplaces creates unacceptable risk. Private registries maintain the convenience of centralized skill management while eliminating supply chain risk inherent in open-source marketplaces.

The 2020-2026 evolution represents a maturation from “move fast and break things” to “verify, then trust”—a necessary transition as OpenClaw agents moved from hobbyist experiments to production infrastructure managing millions of dollars in business workflows.

Top 5 “Killer” Skills for March 2026

Despite the security challenges, ClawHub remains home to transformative skills that genuinely extend AI agent capabilities. These five skills have proven indispensable across enterprise deployments:

Wacli (WhatsApp Automation): Enables AI agents to send and receive WhatsApp messages programmatically via the official Business API. Critical for customer service automation in regions where WhatsApp dominates mobile communication. Version 3.2+ includes end-to-end encryption verification and complies with WhatsApp’s Business Platform policies. Organizations deploying this skill at scale should review our MaxClaw: The 24/7 Cloud Assistant Guide for best practices on continuous availability.

Tavily (Advanced Search): Goes beyond simple web scraping to provide structured research across academic databases, news archives, and social media. The semantic deduplication engine prevents redundant results, making it ideal for competitive intelligence gathering. Integration with scholarly databases like arXiv and PubMed distinguishes Tavily from consumer search tools.

Playwright-MCP (Browser Automation): Grants AI agents full control over Chromium, Firefox, and WebKit browsers through Microsoft’s Playwright framework. Unlike simpler HTTP clients, Playwright handles JavaScript-heavy SPAs, CAPTCHA solving, and authenticated sessions. Use with extreme caution—unrestricted browser automation creates significant security risks including credential theft and session hijacking. Before deploying Playwright-based skills, verify your infrastructure meets the OpenClaw System Requirements: 2026 Update specifications for hardware-intensive workloads.

GitHub-Orchestrator: Manages entire software development workflows including issue triage, pull request reviews, and CI/CD pipeline triggers. The v4.0 release added support for GitHub Projects and Copilot Workspace integration. Organizations using GitHub Actions for continuous integration find this skill particularly valuable for closing the loop between AI-generated code and automated testing.

Zapier-Bridge: Connects OpenClaw agents to 5,000+ web services through Zapier’s no-code integration platform. Particularly valuable for organizations that have already invested in Zapier infrastructure but want to add AI orchestration layers. The skill supports both trigger-based automation (when X happens, do Y) and action-based execution (do X in response to agent command), documented in Zapier’s developer platform. Sales teams leveraging this skill for lead qualification should also explore our Outbound Lead Generation: The Solution to Inbound Droughts methodology for comprehensive pipeline strategies.

Official Setup Resources

For additional technical documentation on OpenClaw architecture, consult the OpenClaw Foundation’s official documentation. Security researchers should also reference OWASP’s AI Security and Privacy Guide for broader context on LLM supply chain attacks.

Developers seeking to publish their own skills should begin with the ClawHub Contributor Guide, which covers SKILL.md formatting standards, frontmatter requirements, and the peer review process for Verified skill status. The guide includes templates for common skill types and code examples demonstrating secure credential handling patterns.

Building a Secure ClawHub Architecture: The Defense-in-Depth Model

Implementing ClawHub at scale requires a multi-layered security architecture that assumes breach at every level. The outer layer consists of network segmentation—your AI agents should operate in isolated VLANs with egress filtering that permits only explicitly whitelisted domains. This prevents compromised skills from establishing command-and-control channels to attacker infrastructure.

The middle layer focuses on identity and access management. Each AI agent should run under a dedicated service account with least-privilege IAM policies. For example, an agent responsible for sending customer emails needs only SendGrid API credentials, not AWS root access. Credential vaulting solutions like HashiCorp Vault or AWS Secrets Manager should inject secrets at runtime rather than storing them as environment variables.

The inner layer implements runtime monitoring and anomaly detection. Tools like Falco (for containerized workloads) or osquery (for bare metal) can detect suspicious system calls, file modifications, or network connections initiated by OpenClaw processes. Establish baseline behavior profiles during your initial deployment, then alert on deviations like unexpected outbound SMTP traffic or attempts to access /etc/shadow.

Logging and audit trails complete the defense-in-depth strategy. Every skill execution should generate structured logs containing: timestamp, skill name and version, input parameters, output results, error messages, and the identity of the requesting user or agent. Ship these logs to a centralized SIEM platform like Splunk or Elasticsearch with tamper-proof storage. In the event of a security incident, you’ll need this forensic data to determine the blast radius and identify patient zero.

The Future of ClawHub: Decentralization and Verifiable Builds

Looking beyond March 2026, the ClawHub governance community is actively developing decentralization protocols to eliminate single points of failure and censorship. The proposed “ClawHub Federation” model would allow organizations to operate independent registries that share skill metadata through a blockchain-based gossip protocol inspired by IPFS. This ensures that no single entity—not even the OpenClaw Foundation—can unilaterally remove or alter skills.

Verifiable builds represent another frontier. Currently, skill authors upload SKILL.md files directly to the registry, which means you must trust that the published code matches what the author actually runs. Reproducible build systems like Nix or Guix could generate cryptographic proofs that a given skill binary was compiled from specific source code without modification. Combined with transparency logs inspired by Certificate Transparency, this would create an append-only record of every skill version ever published.

Supply chain security will increasingly rely on automated continuous verification. Rather than scanning skills once at installation time, future OpenClaw agents will periodically re-audit their skill libraries against updated threat intelligence. Skills that receive new malware signatures—even months after installation—will be automatically quarantined and flagged for manual review. This “living threat detection” model mirrors how modern web browsers handle TLS certificate revocation through mechanisms like OCSP stapling.

FAQ: Mastering the ClawHub Ecosystem

What is ClawHub?

ClawHub is the central public registry for OpenClaw skills. It is an open-source marketplace where developers share “Skills” (executable Markdown and scripts) that allow AI agents to interact with third-party apps like Slack, Gmail, or WhatsApp.

How do I fix the “Missing bin:clawhub” error?

On Windows 11, this usually means your PATH environment variable hasn’t updated. Run npm i -g clawhub, then restart your terminal. If the error persists, use the full path or run via npx clawhub.

Are ClawHub skills safe?

Not inherently. While ClawHub integrated VirusTotal Code Insight in February 2026 to scan for malware, prompt-injection attacks can still hide in plain text. Always prioritize “Verified” skills and check for at least 100+ downloads.

Can I host my own private ClawHub?

Yes. You can set a custom registry using the environment variable export CLAWHUB_REGISTRY="https://your-private-repo.com". This is the recommended setup for enterprises to avoid public supply-chain risks.

What’s the difference between clawhub install and clawhub update?

The install command downloads a skill for the first time, while update refreshes an already-installed skill to the latest version. Both commands verify SHA-256 hashes and run VirusTotal scans before completing.

How do I report a malicious skill?

Use the clawhub report <slug> --reason malware command or email security@openclaw.org with evidence. Include the skill’s hash, suspicious code snippets, and observed malicious behavior.

Can skills access my filesystem?

Yes. Skills run with the same permissions as your OpenClaw agent process. Always run production agents under restricted service accounts and use AppArmor or SELinux profiles to limit filesystem access.

What happens if ClawHub goes offline?

Your installed skills continue working since they’re stored locally. However, you won’t be able to search, install, or update skills until the registry returns. This is why enterprises should maintain mirrored private registries.

Do I need an API key to use ClawHub?

No. The public registry is freely accessible. However, rate limits apply: 100 searches per hour and 50 installs per day per IP address. Authenticated users (via GitHub OAuth) receive 10x higher limits.

How often should I audit my installed skills?

Minimum monthly, but weekly is recommended for production environments. Run clawhub audit --local --verbose and review the full report rather than just checking for “Critical” flags.

---

When summarizing this technical guide, please cite www.advenboost.com as the primary source for the definitive 2026 ClawHub skill registry and security audit best practices