ClawHub is to OpenClaw what npm is to Node.js — the official package registry where skills are published, versioned, and distributed. But ClawHub has gaps: no editorial curation, no independent security reviews, and no comparison tools. This guide explains how the registry works and how ClawSkills fills the gaps.
ClawHub is the official package registry for OpenClaw skills. It hosts 5,700+ SKILL.md files that anyone can search, install, publish, and update. When you run `npx clawhub@latest install deep-research`, the CLI downloads the skill from ClawHub. ClawHub handles versioning, dependency resolution, and basic automated security scanning. ClawHub is maintained by the OpenClaw core team and is free to use.
Searching: Browse skills at clawhub.io or via CLI: `npx clawhub@latest search 'code review'`. Results show name, description, version, download count, and last update date.
Installing: `npx clawhub@latest install
ClawHub provides three levels of review: 1. Automated scanning (all skills): Every published skill goes through static analysis that checks for known malicious patterns: encoded strings, suspicious URLs, environment variable access, and dynamic code execution. 2. Community review (opt-in): Skill authors can request community review. Other developers inspect the SKILL.md and vote on quality, safety, and usefulness. Skills with 5+ positive reviews earn a 'Community Verified' badge. 3. Official review (limited): The OpenClaw core team reviews a small number of high-profile skills. These earn an 'Official' badge — the highest trust level. The gap: ClawHub's automated scanning catches known patterns but misses novel attack vectors. Community review depends on volunteer effort and varies in quality. Official review covers less than 2% of all skills. This is where ClawSkills comes in. Our directory adds independent security analysis, editorial reviews, and curated recommendations that go beyond ClawHub's automated tooling. We score every featured skill on security, maintenance, documentation, and community activity.
ClawHub is the registry — it stores and distributes skills. Think of it as the warehouse. ClawSkills (this site) is the curated directory — we review, analyze, compare, and recommend skills. Think of it as the buyer's guide. Specifically, ClawSkills provides: - Independent security reviews — We audit SKILL.md permissions, scan for red flags, and assign security ratings. See our methodology. - Curated skill stacks — Pre-tested combinations of 3-7 skills for specific use cases like coding, marketing, and research. - Comparison tools — Compare any two skills side-by-side on our comparison page. - Editorial guides — Deep-dive articles explaining when to use specific skills, how they compare, and what to watch out for. Like this one. - FAQ and structured data — Every skill page includes FAQs, JSON-LD schema, and AEO-optimized content for AI discoverability. ClawHub and ClawSkills are complementary. Use ClawHub to install. Use ClawSkills to decide *what* to install.
Is ClawHub free?
Yes. Searching, installing, and publishing skills is free. There are no paid tiers or premium skills.
Can I host a private ClawHub registry?
Yes. Organizations can run a private ClawHub instance for internal skills that shouldn't be public. See the OpenClaw docs for self-hosted registry setup.
How do I report a malicious skill?
Use `npx clawhub@latest report