Trusted OpenClaw Skills
Curated catalog of OpenClaw skills with trust ratings.
Why this exists: A 2026 security audit found 820+ malicious skills on ClawHub, the public OpenClaw skill registry — including credential harvesters and cryptominers. OpenClaw skills are community-built plugins with no mandatory code review. This catalog lists skills that have been personally read or community-validated, with explicit trust tiers.
See also:
- reviewers — Meta: who reviews OpenClaw skills, registries, vetting
- Trusted Claude Skills — sister catalog
- Curation & Trust Networks — meta wiki
Trust tiers
| Tier | Meaning |
|---|---|
| 🟢 OpenClaw-core | Maintained in the openclaw/openclaw main repo or shipped with the npm package |
| 🔵 Plugin published by openclaw org | Listed under the openclaw GitHub org; first-party-adjacent |
| 🟡 Vetted-third-party | Community-validated, listed on VoltAgent/awesome-openclaw-skills, AND has a clean VirusTotal scan on ClawHub |
| 🟠 Personal-use | Jacob has it installed, source read, finds benign |
| 🔴 Audit-before-use | On ClawHub but not vetted; assume untrusted |
VirusTotal partnership: ClawHub integrates VirusTotal scanning. Always check a skill's VirusTotal report on its ClawHub page before install. (source)
Skills installed in Jacob's OpenClaw (Mac Mini)
OpenClaw config: ~/.openclaw/openclaw.json. Skill source: /Users/Jacob/.npm-global/lib/node_modules/openclaw/skills/. All 54 skills are inspectable on disk — that's the baseline trust here.
Tier 🟢 — Core / shipped with openclaw npm package
| Skill | Purpose |
|---|---|
coding-agent |
Spawns Claude/Codex coding tasks (PTY background) |
clawhub |
Native ClawHub browse/install |
skill-creator |
Scaffolds new skills |
tmux |
Terminal multiplexer integration |
mcporter |
MCP server bridge |
Tier 🟠 — Personal-use (read & benign)
Productivity / personal-data skills Jacob uses regularly:
| Skill | Purpose | Risk surface |
|---|---|---|
apple-notes |
Read/write Apple Notes (via memo CLI) |
Local Notes DB |
apple-reminders |
Reminders.app | Local |
bear-notes |
Bear notes app | Local |
things-mac |
Things 3 task manager | Local |
obsidian |
Obsidian vault | Local files |
notion |
Notion API | Notion auth token |
taskflow / taskflow-inbox-triage |
Task triage | Local |
imsg / bluebubbles |
iMessage | Messages.app DB |
slack |
Slack DM/channels | Slack token |
discord |
Discord | Discord token |
github / gh-issues |
GitHub API | gh-cli auth |
voice-call |
Twilio voice calls | Twilio creds |
1password |
1Password CLI | op session |
gemini |
Gemini API | API key |
summarize |
Text summarization | Pure prompt |
sherpa-onnx-tts |
Local TTS | Pure local |
openai-whisper / openai-whisper-api |
STT | Whisper or OpenAI |
weather |
Weather data | Network read |
xurl |
URL fetch helper | Network read |
nano-pdf |
PDF parsing | Local |
video-frames |
Video frame extraction | Local ffmpeg |
gifgrep |
Search reaction GIFs | Network read |
peekaboo |
Native macOS UI automation (last resort) | High — full UI access |
node-connect |
Node connectivity | Network |
gog / goplaces / openhue / sonoscli / spotify-player |
Smart-home / entertainment | Various |
eightctl / wacli |
Other CLIs | Various |
model-usage |
Token/cost tracking | Local logs |
oracle / sag |
Reasoning helpers | Pure prompt |
session-logs / healthcheck |
Logging / health | Local |
blogwatcher / blucli / camsnap / canvas / himalaya / ordercli / songsee |
Niche | Various |
trello |
Trello | Trello token |
Full list (54 skills) inventoried in session memory; this table is the readable summary.
High-risk skills to be careful with
peekaboo— full macOS UI automation; can click anywhere, see anything. Useful but invasive. Per Jacob's tool-UI rules: only use as last resort for native apps.coding-agent— spawns claude/codex with PTY + background; this is a foot-gun for prompt injection vectors.- Anything with
run_commandor shell-exec in itstoolsdeclaration.
High-reputation OpenClaw curators
| Source | What |
|---|---|
openclaw/openclaw |
Main repo |
openclaw/clawhub |
Public skill registry source |
VoltAgent/awesome-openclaw-skills |
"5,400+ skills filtered and categorized" — community curation layer |
| docs.openclaw.ai/tools/plugin | Official plugin docs (mentions VirusTotal scanning) |
| Composio "Top 10 OpenClaw skills" | Editorial top-10 list — useful as a starting filter |
| AI Makers — Best OpenClaw Skills 2026 + 5 to avoid | Includes a denylist of 5 to avoid (rare and valuable) |
Marketplaces requiring caution
- ClawHub default catalog — 820+ malicious skills found in audits. Assume untrusted. Always check the VirusTotal report before install.
- npm
openclaw-*packages — npm has zero gating. Read the package contents before installing.
How to vet an OpenClaw skill before installing
- Find the skill on ClawHub and read the VirusTotal report.
- Read the
SKILL.mdand any source files. Look for: shell exec, network calls to unknown hosts, env-variable exfiltration patterns. - Check if the skill is listed in VoltAgent/awesome-openclaw-skills — that's a soft community signal.
- Sandbox first: If installing on the main agent (Kitsune), force
sandbox.mode: "all"first and try the skill there. Promote to non-sandboxed only if needed. - Never install a skill recommended by someone you don't know in a Telegram/Discord without independent verification.
OpenClaw security baseline (from Jacob's CLAUDE.md)
The OpenClaw threat model on Mac Mini:
- Broken/missing bindings silently fall through to the unsandboxed default agent — every non-Jacob user/group MUST have a binding to a sandboxed agent.
- Run
~/.claude/scripts/openclaw-binding-audit.shbefore/after any binding change. dmPolicy: "open"without bindings = anyone with the bot username gets full shell access. Never.- Only Jacob's Telegram ID (
636532567) routes to the unsandboxed main agent.
This means: the trust gate isn't only "is this skill safe" — it's also "which agent is this skill installed on, and who can talk to that agent." A trusted skill on a misconfigured agent is still a hole.