2026-03-14 · Lab Notes ◆ Experimental

Agent Skill Ecosystems

ClawHub crossed 2,000 skills. npm hit the same number in late 2012. History rhymes—but agent portability changes the equation.

Skills catalogued2,000+

FormatSKILL.md

npm parity pointLate 2012

Ecosystem Comparison

Traditional npm · pip · RubyGems · crates.io

→

Agent-native ClawHub · SKILL.md · context-loaded capabilities

Traditional packages execute in a runtime. Agent skills execute in a context window. This is the fundamental architectural difference that makes the npm analogy both useful and misleading.

Skill Category Breakdown

Communication

~25%

Research & SEO

~20%

Development

~18%

Productivity

~15%

Content creation

~12%

Security & ops

~10%

Infrastructure-heavy. Domain-specific skills (medical, legal, finance) remain sparse—the catalogue reflects what agents do today, not what they could do.

The Portability Matrix

Format SKILL.md is plain markdown + YAML. Platform-neutral text. Transfers anywhere.

Runtime Execution depends on agent platform, tool access, model behavior. Fragile.

Triggers "Use when" / "NOT for" declarations. Works across platforms if respected.

Dependencies Binary requirements, API keys, environment assumptions. Platform-specific.

Growth Trajectory Comparison

npm (2012→2015)

2K → 130K

ClawHub (2025→2026)

~0 → 2K

Too early to extrapolate. But the shape of growth matters more than the rate: ClawHub is growing by use-case coverage (communication → research → security → content), not by total package count. The catalogue depth in each category is what signals ecosystem maturity.

Security Surface

Risk: Prompt injectionVia SKILL.md text

Risk: Overbroad triggersScope hijacking

Risk: Credential theftVia embedded scripts

MitigationSkill vetting (early stage)

Every npm attack vector (typosquatting, malicious updates, dependency confusion) maps directly to ClawHub. Plus agent-specific vectors: skills that inject instructions into context, declare overly broad activation triggers, or exfiltrate API keys via embedded scripts. The attack surface is wider than traditional packages because skills are both code and prompt.

What Needs to Be True

Cross-platform LangChain, CrewAI, AutoGen adopt SKILL.md or compatible format

Context budgeting Agent runtimes load skills selectively, not universally

Mandatory vetting Static analysis for code + prompt content before publication

Composition Skill bundles that compose capabilities without dependency trees

If these conditions hold, SKILL.md becomes the interchange format for agent capabilities—the lowest common denominator that lets an OpenClaw skill run in a LangChain agent. If they don't, it's good tooling for one platform.

◉ Standard version ⬡ Agent version