ClawHub Skill Guide
Publish OpenClaw skills to ClawHub with clean security scanner ratings.
This guide supplements the built-in skill-creator skill with ClawHub-specific
publishing knowledge — especially frontmatter schema and scanner compliance.
Note: The built-in
skill-creatorsays "Do not include any other fields in YAML frontmatter." That guidance is outdated. ClawHub supports and the scanner requires additional fields likeenv,metadata,requires, etc. This guide documents the complete frontmatter schema.
Quick Reference
Skill Anatomy
my-skill/
├── SKILL.md # Core instructions (required, under 500 lines)
├── scripts/ # Executable code (optional)
├── references/ # Docs loaded on demand (optional)
└── assets/ # Templates, images, non-context files (optional)
Frontmatter Fields
| Field | Required | Purpose |
|---|---|---|
name | ✅ | Lowercase, hyphens, under 64 chars |
description | ✅ | Trigger text with keywords |
env | When credentials needed | Array of env var declarations |
metadata | Alternative env format | OpenClaw-specific metadata |
requires | When dependencies exist | Human-readable requirement list |
homepage | Optional | Source/docs URL |
category | Optional | Skill category |
emoji | Optional | Display emoji |
version | Optional | Semver (can also set via CLI) |
→ Full schema: references/frontmatter-schema.md
Scanner Categories
| # | Category | Key Requirement |
|---|---|---|
| 1 | PURPOSE & CAPABILITY | Description matches functionality; credentials declared |
| 2 | INSTRUCTION SCOPE | Instructions on-topic; no auto-config language |
| 3 | INSTALL MECHANISM | No external downloads; scripts write within workspace |
| 4 | CREDENTIALS | All env vars declared in frontmatter; sensitive marked |
| 5 | PERSISTENCE & PRIVILEGE | No always:true; config as templates for manual review |
→ Deep dive: references/scanner-compliance.md
Creating a Skill
Step 1: Plan Structure
Decide what goes where:
| Content Type | Location |
|---|---|
| Core workflow, key instructions | SKILL.md body |
| Detailed reference material | references/ |
| Executable automation | scripts/ |
| Templates, images, boilerplate | assets/ |
Keep SKILL.md under 500 lines. Move detailed docs to references.
Step 2: Write Frontmatter
This is where most scanner issues originate. Get frontmatter right first.
Important: The local packager (package_skill.py) only allows these top-level
frontmatter keys: name, description, license, metadata, allowed-tools.
The env: key works on ClawHub's registry but fails local validation. Use the
metadata.openclaw format for compatibility with both.
Minimal frontmatter (no credentials needed):
---
name: my-skill
description: >
What this skill does. Include trigger keywords so the agent
knows when to activate it. Use when: scenario1, scenario2.
---
With credentials (packager-compatible format):
---
name: my-api-skill
description: >
Integrates with Example API for data retrieval and analysis.
Use when: querying example data, generating reports from Example API.
metadata:
openclaw:
requires:
env:
- EXAMPLE_API_KEY
bins:
- curl
primaryEnv: EXAMPLE_API_KEY
env:
- name: EXAMPLE_API_KEY
description: "API key for Example service"
required: true
- name: EXAMPLE_BASE_URL
description: "Base URL for Example API (default: https://api.example.com)"
required: false
---
Note: If you skip the local packager and publish directly with npx clawhub publish,
the direct env: top-level array also works (some published skills use this). But
the metadata.openclaw format works everywhere.
→ All supported fields and formats: references/frontmatter-schema.md
Step 3: Write Body
Structure the body for progressive disclosure:
- Quick Start — Minimal steps to use the skill
- Prerequisites — Table of requirements (if any)
- Security Notes — Script safety, credential handling (if applicable)
- How It Works — Core instructions
- File Reference — List bundled resources with descriptions
Keep instructions imperative. Challenge every paragraph: "Does the agent really need this?"
Step 4: Add Scripts (If Needed)
Follow safe patterns to pass the scanner:
- Only write within the skill workspace
- No network calls unless explicitly declared and justified
- No obfuscated code
- Document line count and purpose in SKILL.md
- Include "inspect before running" warning
→ Full patterns: references/script-safety.md
Step 5: Validate and Package
# Validate structure
python3 ~/.npm-global/lib/node_modules/openclaw/skills/skill-creator/scripts/package_skill.py ./my-skill
# Check manually:
# - Frontmatter has name + description
# - env declarations match actual credential usage
# - No personal data or test artifacts
# - SKILL.md under 500 lines
Step 6: Publish and Check Scanner
# Verify auth
npx clawhub whoami
# Publish
npx clawhub publish ./my-skill \
--slug my-skill \
--name "My Skill" \
--version 1.0.0 \
--changelog "Initial release" \
--tags latest
# Check scanner results
npx clawhub inspect my-skill
→ Full workflow: references/publish-workflow.md
Frontmatter Quick Guide
The Three Env Declaration Formats
ClawHub supports three ways to declare environment variables. All are valid;
the metadata.openclaw format is recommended for compatibility with both
the local packager and the ClawHub scanner.
Format 1 — Direct env: array (richest data, but fails local packager):
env:
- name: MY_API_KEY
description: "API key for the service"
required: true
sensitive: true
Works with npx clawhub publish but NOT with package_skill.py validation.
Format 2 — metadata.openclaw.env (recommended — works everywhere):
metadata:
openclaw:
env:
- name: MY_API_KEY
description: "API key for the service"
required: false
Format 3 — metadata.openclaw.requires:
metadata:
openclaw:
requires:
env:
- MY_API_KEY
bins:
- curl
primaryEnv: MY_API_KEY
Format 1 gives the scanner the most information (including sensitive flag)
and produces the cleanest scan results.
Description Best Practices
The description is the primary trigger mechanism. Include:
- What the skill does (concrete actions)
- Keywords matching user queries
- "Use when:" clause listing activation scenarios
Bad: "Helps with APIs."
Good:
description: >
Query and manage Example API resources including users, projects,
and billing data. Generates reports, monitors usage, and handles
authentication. Use when: querying Example API, generating usage
reports, managing API resources, checking billing status.
Scanner Compliance Quick Guide
1. PURPOSE & CAPABILITY ✓
- Description accurately reflects what the skill does
- All credentials declared in frontmatter
envormetadata - No undeclared external service dependencies
2. INSTRUCTION SCOPE ✓
- Instructions stay on-topic for the skill's stated purpose
- No language about automatically applying config changes
- Privileged operations marked as "requires manual review"
- If using
requireMention:false, document data exposure implications
3. INSTALL MECHANISM ✓
- No
curl,wget, or network downloads in scripts - Scripts only write within the skill workspace directory
- Include "inspect before running" notes for all scripts
- No obfuscated or minified executable code
4. CREDENTIALS ✓
- Every env var the skill uses is declared in frontmatter
- Sensitive credentials marked
sensitive: true - No requests for credentials unrelated to the skill's purpose
- Prerequisites table lists all required accounts/keys
5. PERSISTENCE & PRIVILEGE ✓
- No
always:truein config recommendations - Config changes presented as templates for manual review
- Multi-user skills recommend agent isolation (separate OpenClaw agent)
- No persistent background processes or daemons
→ Deep dive with case study: references/scanner-compliance.md
Publishing
Command Reference
# Publish a skill
npx clawhub publish ./skill-dir \
--slug my-skill \
--name "Display Name" \
--version 1.0.0 \
--changelog "What changed" \
--tags latest
# Inspect published skill
npx clawhub inspect my-skill
npx clawhub inspect my-skill --files
npx clawhub inspect my-skill --file SKILL.md
# Browse and search
npx clawhub explore
npx clawhub search "keyword"
# Auth
npx clawhub whoami
Version Bumping
When fixing scanner warnings, bump the version and republish:
npx clawhub publish ./skill-dir \
--slug my-skill \
--version 1.1.0 \
--changelog "Fix: declared env vars in frontmatter for clean scan" \
--tags latest
Common Pitfalls
| Mistake | Scanner Impact | Fix |
|---|---|---|
| No env declarations when skill uses credentials | ! CREDENTIALS | Add env vars via metadata.openclaw.env in frontmatter |
| "Agent automatically applies config" language | ! INSTRUCTION SCOPE | Change to "manual review required" |
| Scripts without inspection warning | ℹ INSTALL MECHANISM | Add "inspect before running" note |
| No agent isolation for multi-user skills | ℹ PERSISTENCE | Add security model section |
requireMention:false without data exposure docs | ℹ INSTRUCTION SCOPE | Document what data the skill sees |
| Description too short / missing keywords | Poor discoverability | Expand with trigger scenarios |
| Shipping test DBs or generated files | Bloat | Clean before publishing |
| Personal data in examples | Privacy risk | Use generic examples |
Templates
Ready-to-use SKILL.md templates:
- Basic skill — Minimal SKILL.md
- Skill with scripts — Scripts + env vars
- Skill with config — Gateway config changes
Copy, fill in the placeholders, publish.
File Reference
| File | Purpose |
|---|---|
references/frontmatter-schema.md | Complete YAML frontmatter field documentation |
references/scanner-compliance.md | Scanner categories deep dive with case study |
references/script-safety.md | Safe script patterns for publication |
references/publish-workflow.md | Step-by-step publish and iterate workflow |
assets/templates/basic-skill.md | Minimal SKILL.md template |
assets/templates/skill-with-scripts.md | Template with scripts and env vars |
assets/templates/skill-with-config.md | Template for config-changing skills |