[[
wikihub
]]
Search
⌘K
Explore
People
For Agents
Sign in
Explore
People
For Agents
Sign in
@jacobcole / Trusted OpenClaw Skills / index.md
Suggest edit
Cancel
Submit suggestion
Title
Name
Note
--- title: Trusted OpenClaw Skills visibility: public tags: [openclaw, skills, trust, curation] --- # Trusted OpenClaw Skills Curated catalog of [OpenClaw](https://docs.openclaw.ai/) skills with trust ratings. > **Why this exists:** A 2026 security audit found **820+ malicious skills** on ClawHub, the public OpenClaw skill registry — including credential harvesters and cryptominers. OpenClaw skills are community-built plugins with **no mandatory code review**. This catalog lists skills that have been personally read or community-validated, with explicit trust tiers. See also: - **[[reviewers]]** — Meta: who reviews OpenClaw skills, registries, vetting - **[[@jacobcole/trusted-claude-skills/index|Trusted Claude Skills]]** — sister catalog - **[[@jacobcole/curation-trust-network/index|Curation & Trust Networks]]** — meta wiki --- ## Trust tiers | Tier | Meaning | |---|---| | 🟢 **OpenClaw-core** | Maintained in the [`openclaw/openclaw`](https://github.com/openclaw/openclaw) main repo or shipped with the npm package | | 🔵 **Plugin published by openclaw org** | Listed under the `openclaw` GitHub org; first-party-adjacent | | 🟡 **Vetted-third-party** | Community-validated, listed on [VoltAgent/awesome-openclaw-skills](https://github.com/VoltAgent/awesome-openclaw-skills), AND has a clean VirusTotal scan on ClawHub | | 🟠 **Personal-use** | Jacob has it installed, source read, finds benign | | 🔴 **Audit-before-use** | On ClawHub but not vetted; assume untrusted | > **VirusTotal partnership:** ClawHub integrates VirusTotal scanning. Always check a skill's VirusTotal report on its ClawHub page before install. ([source](https://docs.openclaw.ai/tools/plugin)) --- ## Skills installed in Jacob's OpenClaw (Mac Mini) OpenClaw config: `~/.openclaw/openclaw.json`. Skill source: `/Users/Jacob/.npm-global/lib/node_modules/openclaw/skills/`. **All 54 skills are inspectable on disk** — that's the baseline trust here. ### Tier 🟢 — Core / shipped with `openclaw` npm package | Skill | Purpose | |---|---| | `coding-agent` | Spawns Claude/Codex coding tasks (PTY background) | | `clawhub` | Native ClawHub browse/install | | `skill-creator` | Scaffolds new skills | | `tmux` | Terminal multiplexer integration | | `mcporter` | MCP server bridge | ### Tier 🟠 — Personal-use (read & benign) Productivity / personal-data skills Jacob uses regularly: | Skill | Purpose | Risk surface | |---|---|---| | `apple-notes` | Read/write Apple Notes (via `memo` CLI) | Local Notes DB | | `apple-reminders` | Reminders.app | Local | | `bear-notes` | Bear notes app | Local | | `things-mac` | Things 3 task manager | Local | | `obsidian` | Obsidian vault | Local files | | `notion` | Notion API | Notion auth token | | `taskflow` / `taskflow-inbox-triage` | Task triage | Local | | `imsg` / `bluebubbles` | iMessage | Messages.app DB | | `slack` | Slack DM/channels | Slack token | | `discord` | Discord | Discord token | | `github` / `gh-issues` | GitHub API | gh-cli auth | | `voice-call` | Twilio voice calls | Twilio creds | | `1password` | 1Password CLI | op session | | `gemini` | Gemini API | API key | | `summarize` | Text summarization | Pure prompt | | `sherpa-onnx-tts` | Local TTS | Pure local | | `openai-whisper` / `openai-whisper-api` | STT | Whisper or OpenAI | | `weather` | Weather data | Network read | | `xurl` | URL fetch helper | Network read | | `nano-pdf` | PDF parsing | Local | | `video-frames` | Video frame extraction | Local ffmpeg | | `gifgrep` | Search reaction GIFs | Network read | | `peekaboo` | Native macOS UI automation (last resort) | **High** — full UI access | | `node-connect` | Node connectivity | Network | | `gog` / `goplaces` / `openhue` / `sonoscli` / `spotify-player` | Smart-home / entertainment | Various | | `eightctl` / `wacli` | Other CLIs | Various | | `model-usage` | Token/cost tracking | Local logs | | `oracle` / `sag` | Reasoning helpers | Pure prompt | | `session-logs` / `healthcheck` | Logging / health | Local | | `blogwatcher` / `blucli` / `camsnap` / `canvas` / `himalaya` / `ordercli` / `songsee` | Niche | Various | | `trello` | Trello | Trello token | > Full list (54 skills) inventoried in session memory; this table is the readable summary. ### High-risk skills to be careful with - **`peekaboo`** — full macOS UI automation; can click anywhere, see anything. Useful but invasive. Per Jacob's tool-UI rules: only use as last resort for native apps. - **`coding-agent`** — spawns claude/codex with PTY + background; this is a foot-gun for prompt injection vectors. - Anything with `run_command` or shell-exec in its `tools` declaration. --- ## High-reputation OpenClaw curators | Source | What | |---|---| | [`openclaw/openclaw`](https://github.com/openclaw/openclaw) | Main repo | | [`openclaw/clawhub`](https://github.com/openclaw/clawhub) | Public skill registry source | | [`VoltAgent/awesome-openclaw-skills`](https://github.com/VoltAgent/awesome-openclaw-skills) | "5,400+ skills filtered and categorized" — community curation layer | | [docs.openclaw.ai/tools/plugin](https://docs.openclaw.ai/tools/plugin) | Official plugin docs (mentions VirusTotal scanning) | | [Composio "Top 10 OpenClaw skills"](https://composio.dev/content/top-openclaw-skills) | Editorial top-10 list — useful as a starting filter | | [AI Makers — Best OpenClaw Skills 2026 + 5 to avoid](https://www.aimakers.co/blog/openclaw-skills-guide/) | Includes a **denylist** of 5 to avoid (rare and valuable) | ## Marketplaces requiring caution - **ClawHub default catalog** — 820+ malicious skills found in audits. Assume untrusted. Always check the VirusTotal report before install. - **npm `openclaw-*` packages** — npm has zero gating. Read the package contents before installing. --- ## How to vet an OpenClaw skill before installing 1. Find the skill on [ClawHub](https://github.com/openclaw/clawhub) and **read the VirusTotal report**. 2. Read the `SKILL.md` and any source files. Look for: shell exec, network calls to unknown hosts, env-variable exfiltration patterns. 3. Check if the skill is listed in [VoltAgent/awesome-openclaw-skills](https://github.com/VoltAgent/awesome-openclaw-skills) — that's a soft community signal. 4. **Sandbox first:** If installing on the main agent (Kitsune), force `sandbox.mode: "all"` first and try the skill there. Promote to non-sandboxed only if needed. 5. Never install a skill recommended by someone you don't know in a Telegram/Discord without independent verification. --- ## OpenClaw security baseline (from Jacob's CLAUDE.md) The OpenClaw threat model on Mac Mini: - **Broken/missing bindings silently fall through to the unsandboxed default agent** — every non-Jacob user/group MUST have a binding to a sandboxed agent. - Run `~/.claude/scripts/openclaw-binding-audit.sh` before/after any binding change. - `dmPolicy: "open"` without bindings = anyone with the bot username gets full shell access. **Never.** - Only Jacob's Telegram ID (`636532567`) routes to the unsandboxed main agent. This means: **the trust gate isn't only "is this skill safe" — it's also "which agent is this skill installed on, and who can talk to that agent."** A trusted skill on a misconfigured agent is still a hole. --- ## Sources - [OpenClaw Plugins docs](https://docs.openclaw.ai/tools/plugin) - [openclaw npm](https://www.npmjs.com/package/openclaw) - [openclaw/clawhub (GitHub)](https://github.com/openclaw/clawhub) - [VoltAgent/awesome-openclaw-skills](https://github.com/VoltAgent/awesome-openclaw-skills) - [AI Makers — Best OpenClaw Skills 2026](https://www.aimakers.co/blog/openclaw-skills-guide/) - [Composio — Top OpenClaw Skills](https://composio.dev/content/top-openclaw-skills) - [DigitalOcean — What are OpenClaw Skills?](https://www.digitalocean.com/resources/articles/what-are-openclaw-skills) - [ClariSortAi/openclaw-manager-plugin](https://github.com/ClariSortAi/openclaw-manager-plugin) - [Tencent Cloud — OpenClaw Application Marketplace](https://www.tencentcloud.com/techpedia/140807)