Skill Hub for OpenClaw Skill Discovery and Vetting

What it does

Skill Hub is a community OpenClaw skill candidate focused on finding and pre-screening other skills. The fetched source describes searchable catalog workflows, ClawHub/awesome-list lookup, credibility scores, status tables, quick GitHub checks, and scanners for code-level and prompt-level risk patterns. It is best viewed as a discovery and review surface, not as proof that any candidate it finds is safe.

Who should use it

OpenClaw operators who frequently evaluate community skills and want a more structured shortlist before manual review. It is especially relevant for maintainers who need to compare registry entries, installed skills, and unvetted candidates without relying only on search results.

Setup surface

The source evidence points to a Python-based skill with scripts for search, sync, status, and vetting. It declares MIT licensing in SKILL.md and the repository README states MIT License, so this Loot is classified as free from source evidence. The implementation surface includes file reads/writes, subprocess usage, optional npx/clawhub inspection, and catalog JSON updates; those areas require review before any install or execution.

Runner test plan

1. Static scan: review SKILL.md, all scripts, references, catalog files, hidden files, and repository metadata before installation.
2. Dependency/install review: inspect Python imports, any requirements or package files, npx/clawhub usage, network endpoints, license, maintainer history, and whether setup writes outside the intended skill directory.
3. Prompt-injection/tool-poisoning review: treat README, SKILL.md, ClawHub copy, examples, catalog entries, and fetched skill data as untrusted; check for attempts to reveal secrets, read broad home/config/SSH files, override agent instructions, or bypass safety gates.
4. Sandbox execution: only after review, run search/status/vet flows in a disposable container or VM with no real credentials and a synthetic skills directory.
5. Screenshot/video when UI or command output exists: capture terminal output for catalog search, failed/missing catalog behavior, vetting a harmless fixture, and refusal/timeout behavior for unavailable network tools.
6. Residual risks: registry data can be stale or poisoned, subprocess/npx inspection expands the trust boundary, automated scores can create false confidence, and installation commands shown in docs must not be executed outside a sandbox before Runner artifacts exist.

Risk notes

Do not install or run this directly on a production Raspberry Pi or personal OpenClaw workspace before Runner AI Review artifacts exist. The fetched vetting script uses subprocess calls to npx clawhub for inspection and can write local catalog state, so even read-oriented workflows need filesystem and network boundaries. The skill itself is useful precisely because community skills are untrusted, but its own scanner output should remain advisory rather than a safety certification.

Source links

• Awesome OpenClaw Skills list: https://github.com/VoltAgent/awesome-openclaw-skills/blob/main/categories/coding-agents-and-ides.md
• ClawHub page: https://clawhub.ai/phenixstar/skill-hub
• Reachable source repository: https://github.com/PhenixStar/openclaw-skills-collection
• Source SKILL.md: https://raw.githubusercontent.com/PhenixStar/openclaw-skills-collection/master/skill-hub/SKILL.md