mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-06 09:00:42 +00:00
15 KiB
15 KiB
summary, read_when, title, sidebarTitle
| summary | read_when | title | sidebarTitle | |||
|---|---|---|---|---|---|---|
| ClawHub: public registry for OpenClaw skills and plugins, native install flows, and the clawhub CLI |
|
ClawHub | ClawHub |
ClawHub is the public registry for OpenClaw skills and plugins.
- Use native
openclawcommands to search, install, and update skills, and to install plugins from ClawHub. - Use the separate
clawhubCLI for registry auth, publish, delete/undelete, and sync workflows.
Site: clawhub.ai
Quick start
```bash openclaw skills search "calendar" ``` ```bash openclaw skills install ``` Start a new OpenClaw session — it picks up the new skill. For registry-authenticated workflows (publish, sync, manage), install the separate `clawhub` CLI:```bash
npm i -g clawhub
# or
pnpm add -g clawhub
```
Native OpenClaw flows
```bash openclaw skills search "calendar" openclaw skills install openclaw skills update --all ```Native `openclaw` commands install into your active workspace and
persist source metadata so later `update` calls can stay on ClawHub.
Bare npm-safe plugin specs are also tried against ClawHub before npm:
```bash
openclaw plugins install openclaw-codex-app-server
```
Use `npm:<package>` when you want npm-only resolution without a
ClawHub lookup:
```bash
openclaw plugins install npm:openclaw-codex-app-server
```
Plugin installs validate advertised `pluginApi` and
`minGatewayVersion` compatibility before archive install runs, so
incompatible hosts fail closed early instead of partially installing
the package.
Anonymous ClawHub plugin installs also fail closed for private packages. Community or other non-official channels can still install, but OpenClaw warns so operators can review source and verification before enabling them.
What ClawHub is
- A public registry for OpenClaw skills and plugins.
- A versioned store of skill bundles and metadata.
- A discovery surface for search, tags, and usage signals.
A typical skill is a versioned bundle of files that includes:
- A
SKILL.mdfile with the primary description and usage. - Optional configs, scripts, or supporting files used by the skill.
- Metadata such as tags, summary, and install requirements.
ClawHub uses metadata to power discovery and safely expose skill capabilities. The registry tracks usage signals (stars, downloads) to improve ranking and visibility. Each publish creates a new semver version, and the registry keeps version history so users can audit changes.
Workspace and skill loading
The separate clawhub CLI also installs skills into ./skills under
your current working directory. If an OpenClaw workspace is configured,
clawhub falls back to that workspace unless you override --workdir
(or CLAWHUB_WORKDIR). OpenClaw loads workspace skills from
<workspace>/skills and picks them up in the next session.
If you already use ~/.openclaw/skills or bundled skills, workspace
skills take precedence. For more detail on how skills are loaded,
shared, and gated, see Skills.
Service features
| Feature | Notes |
|---|---|
| Public browsing | Skills and their SKILL.md content are publicly viewable. |
| Search | Embedding-powered (vector search), not just keywords. |
| Versioning | Semver, changelogs, and tags (including latest). |
| Downloads | Zip per version. |
| Stars and comments | Community feedback. |
| Security scan summaries | Detail pages show the latest scan state before install or download. |
| Scanner detail pages | VirusTotal, ClawScan, and static-analysis results have deep links. |
| Owner recovery dashboard | Publishers can see scan-held owned content from /dashboard. |
| Owner-requested rescans | Owners can request limited rescans for false-positive recovery. |
| Moderation | Approvals and audits. |
| CLI-friendly API | Suitable for automation and scripting. |
Security and moderation
ClawHub is open by default — anyone can upload skills, but a GitHub account must be at least one week old to publish. This slows down abuse without blocking legitimate contributors.
ClawHub runs automated security checks on published skills and plugin releases. Public detail pages summarize the current result, and scanner rows link to dedicated detail pages for VirusTotal, ClawScan, and static analysis.Scan-held or blocked releases may be unavailable on public catalog and
install surfaces while still visible to their owner in `/dashboard`.
ClawHub CLI
You only need this for registry-authenticated workflows such as publish/sync.
Global options
Working directory. Default: current dir; falls back to OpenClaw workspace. Skills directory, relative to workdir. Site base URL (browser login). Registry API base URL. Disable prompts (non-interactive). Print CLI version.Commands
```bash clawhub login # browser flow clawhub login --token clawhub logout clawhub whoami ```Login options:
- `--token <token>` — paste an API token.
- `--label <label>` — label stored for browser login tokens (default: `CLI token`).
- `--no-browser` — do not open a browser (requires `--token`).
Searches skills. For plugin/package discovery, use `clawhub package explore`.
- `--limit <n>` — max results.
`package explore` and `package inspect` are the ClawHub CLI surfaces for plugin/package discovery and metadata inspection. Native OpenClaw installs still use `openclaw plugins install clawhub:<package>`.
Options:
- `--family skill|code-plugin|bundle-plugin` — filter package family.
- `--official` — show only official packages.
- `--executes-code` — show only packages that execute code.
- `--version <version>` / `--tag <tag>` — inspect a specific package version.
- `--versions`, `--files`, `--file <path>` — inspect package history and files.
- `--json` — machine-readable output.
Options:
- `--version <version>` — install or update to a specific version (single slug only on `update`).
- `--force` — overwrite if the folder already exists, or when local files do not match any published version.
- `clawhub list` reads `.clawhub/lock.json`.
Options:
- `--slug <slug>` — skill slug.
- `--name <name>` — display name.
- `--version <version>` — semver version.
- `--changelog <text>` — changelog text (can be empty).
- `--tags <tags>` — comma-separated tags (default: `latest`).
`<source>` can be a local folder, `owner/repo`, `owner/repo@ref`, or a
GitHub URL.
Options:
- `--dry-run` — build the exact publish plan without uploading anything.
- `--json` — emit machine-readable output for CI.
- `--source-repo`, `--source-commit`, `--source-ref` — optional overrides when auto-detection is not enough.
clawhub package rescan <name>
clawhub package rescan <name> --yes --json
```
Rescan commands require a logged-in owner token and target the latest
published skill version or plugin release. In non-interactive runs, pass
`--yes`.
JSON responses include the target kind, name, version, rescan status, and
remaining/max request counts for that version or release.
Options:
- `--root <dir...>` — extra scan roots.
- `--all` — upload everything without prompts.
- `--dry-run` — show what would be uploaded.
- `--bump <type>` — `patch|minor|major` for updates (default: `patch`).
- `--changelog <text>` — changelog for non-interactive updates.
- `--tags <tags>` — comma-separated tags (default: `latest`).
- `--concurrency <n>` — registry checks (default: `4`).
Common workflows
```bash clawhub search "postgres backups" ``` ```bash clawhub package explore --family code-plugin clawhub package explore "memory" --family code-plugin clawhub package inspect episodic-claw ``` ```bash clawhub install my-skill-pack ``` ```bash clawhub update --all ``` ```bash clawhub skill publish ./my-skill --slug my-skill --name "My Skill" --version 1.0.0 --tags latest ``` ```bash clawhub sync --all ``` ```bash clawhub package publish your-org/your-plugin --dry-run clawhub package publish your-org/your-plugin clawhub package publish your-org/your-plugin@v1.0.0 clawhub package publish https://github.com/your-org/your-plugin ```Plugin package metadata
Code plugins must include the required OpenClaw metadata in
package.json:
{
"name": "@myorg/openclaw-my-plugin",
"version": "1.0.0",
"type": "module",
"openclaw": {
"extensions": ["./src/index.ts"],
"runtimeExtensions": ["./dist/index.js"],
"compat": {
"pluginApi": ">=2026.3.24-beta.2",
"minGatewayVersion": "2026.3.24-beta.2"
},
"build": {
"openclawVersion": "2026.3.24-beta.2",
"pluginSdkVersion": "2026.3.24-beta.2"
}
}
}
Published packages should ship built JavaScript and point
runtimeExtensions at that output. Git checkout installs can still fall
back to TypeScript source when no built files exist, but built runtime
entries avoid runtime TypeScript compilation in startup, doctor, and
plugin loading paths.
Versioning, lockfile, and telemetry
- Each publish creates a new **semver** `SkillVersion`. - Tags (like `latest`) point to a version; moving tags lets you roll back. - Changelogs are attached per version and can be empty when syncing or publishing updates. Updates compare the local skill contents to registry versions using a content hash. If local files do not match any published version, the CLI asks before overwriting (or requires `--force` in non-interactive runs). `clawhub sync` scans your current workdir first. If no skills are found, it falls back to known legacy locations (for example `~/openclaw/skills` and `~/.openclaw/skills`). This is designed to find older skill installs without extra flags. - Installed skills are recorded in `.clawhub/lock.json` under your workdir. - Auth tokens are stored in the ClawHub CLI config file (override via `CLAWHUB_CONFIG_PATH`). When you run `clawhub sync` while logged in, the CLI sends a minimal snapshot to compute install counts. You can disable this entirely:```bash
export CLAWHUB_DISABLE_TELEMETRY=1
```
Environment variables
| Variable | Effect |
|---|---|
CLAWHUB_SITE |
Override the site URL. |
CLAWHUB_REGISTRY |
Override the registry API URL. |
CLAWHUB_CONFIG_PATH |
Override where the CLI stores the token/config. |
CLAWHUB_WORKDIR |
Override the default workdir. |
CLAWHUB_DISABLE_TELEMETRY=1 |
Disable telemetry on sync. |