ClawHub Skill Ecosystem: Agent-Readable Spec

DOMAIN: Agent skill marketplace and registry PLATFORM: ClawHub (clawhub.ai) FORMAT: SKILL.md (YAML frontmatter + markdown) CATALOGUE: 2,000+ skills CLI: npm i -g clawhub REGISTRY: https://clawhub.com (default) STATUS: Early ecosystem — format stable, adoption narrow DATE: 2026-03-14

STRUCTURE: → YAML frontmatter # name, description, metadata → Markdown body # Human + agent-readable instructions FRONTMATTER: → name: # Skill identifier (kebab-case) → description: # One-line summary for search/discovery → metadata.openclaw: # Platform-specific runtime requirements → requires.bins # Binary dependencies (e.g., ["curl"]) → install # Auto-install instructions BODY: → Trigger declarations: "Use when: ..." / "NOT for: ..." → Procedural steps: How to accomplish the skill's purpose → Reference files: Optional scripts, configs, templates PAYLOAD: → Scripts # Optional executable files → Reference docs # Additional markdown or config files → Subdirectories # Nested structure (e.g., skills/ subcommands)

DISCOVERY: $ clawhub search "postgres backups" # Full-text search $ clawhub list # Installed skills INSTALL: $ clawhub install my-skill # Latest version $ clawhub install my-skill --version 1.2.3 # Pinned → Target: ./skills/ directory (default) → Override: --dir, --workdir, or CLAWHUB_WORKDIR UPDATE: $ clawhub update my-skill # Hash-based match → upgrade $ clawhub update --all # Bulk update $ clawhub update --all --force --no-input # Overwrite local changes PUBLISH: $ clawhub publish ./my-skill --slug my-skill --name "My Skill" \ --version 1.2.0 --changelog "Fixes + docs" → Requires: clawhub login / clawhub whoami → Auth: Registry credentials (clawhub.com)

DIMENSION npm (2012) ClawHub (2026) ────────────────────────────────────────────────────────────────────── Package count ~2,000 2,000+ Distribution format package.json + JS SKILL.md + scripts Install CLI npm install clawhub install Versioning Semver Semver + hash matching Dependency model Tree (transitive) Flat (self-contained) Execution Runtime (V8) Context window (LLM) Token cost Zero Context budget consumed Platform lock-in Low (JS standard) Medium (openclaw metadata) CRITICAL DIFFERENCE: → npm packages execute in a JS runtime → ClawHub skills are READ by an agent's context window → "Execution environment" = the agent itself → Version compatibility depends on model behavior, not API contracts

THREAT VECTOR SEVERITY ─────────────────────────────────────────────────────────────────────────── Prompt injection SKILL.md body text HIGH → Skill instructions become agent context → Malicious text overrides agent behavior → No sandbox between skill text and agent reasoning Typosquatting Slug similarity (weathr vs weather) MEDIUM → User installs wrong skill by mistyping → Malicious skill activates on overlapping triggers Overbroad triggers "Use when: user asks about files" MEDIUM → Skill intercepts unintended interactions → Scope hijacking via trigger declarations Malicious updates Legitimate v1.0 → data exfil in v1.1 HIGH → Hash matching detects changes but doesn't analyze content → --force flag bypasses local review Credential harvesting Skills requesting API keys/env vars HIGH → Embedded scripts access environment → No isolation between skill scripts and host MITIGATIONS: → skill-vetter: Exists in ecosystem (adoption unclear) → Hash-based updates: Detects local modifications → Manual review: No mandatory pre-publish analysis → Sandboxing: Not implemented

CATEGORY SHARE EXAMPLES ─────────────────────────────────────────────────────────────── Communication ~25% Email (himalaya, agentmail), messaging, X/Twitter Research & SEO ~20% Deep research, blog monitoring, SEO audit, content engine Development ~18% GitHub ops (gh-issues, github), CI/CD, code review Productivity ~15% Calendar, Google Workspace, file management Content creation ~12% Blog publishing, content marketing, humanizer Security & ops ~10% Health checks, security hardening, skill vetting, auto-update GAPS: → Domain-specific: medical, legal, finance (sparse) → Creative: image generation, video editing (minimal) → Enterprise: SSO, RBAC, audit logging (absent)

FORMAT PORTABILITY: HIGH → Plain markdown + YAML. No platform-specific syntax in body. → Readable by any agent that consumes text context. METADATA PORTABILITY: MEDIUM → metadata.openclaw is platform-specific. → Other platforms must adopt convention or ignore. → Trigger declarations ("Use when") are convention, not enforced. RUNTIME PORTABILITY: LOW → Skills assume tool access (exec, browser, email tools). → Sandboxed agents may lack required primitives. → Context window size varies by model (8K → 200K). → Model behavior differences affect instruction following. BARRIER TO ADOPTION: → LangChain, CrewAI, AutoGen have own tool/skill formats → No cross-framework standard exists → SKILL.md is simplest candidate for convergence

R1: Cross-platform format adoption → At least one major non-OpenClaw framework adopts SKILL.md → Without this: platform-specific feature, not ecosystem R2: Mandatory pre-publish security scanning → Static analysis for both code (scripts) and prompt (SKILL.md text) → Trigger scope validation (overbroad detection) → Credential pattern detection in scripts R3: Context-budget-aware loading → Agent runtimes load skills selectively based on task → Not: load all 2,000 skills into context → Trigger-based activation ("Use when") must be machine-evaluable R4: Composition without dependency trees → Skill bundles or recipes for workflow-specific combinations → Avoid npm-style transitive dependency complexity → Maintain self-contained skill design R5: Conflict resolution → Two skills with overlapping triggers → Priority ordering or mutual exclusion mechanism → Currently: manual management

VERDICT: Early signal, not yet standard STRENGTHS: + Format simplicity (SKILL.md is too simple to be wrong) + Registry infrastructure exists and works + Self-contained skill design avoids dependency hell + Platform-neutral text format enables portability WEAKNESSES: − Single-platform adoption (OpenClaw only) − Security model nascent (no mandatory vetting) − Context window consumption not managed − No composition primitives for workflows ANALOGY: npm in late 2012 — infrastructure solid, ecosystem small, standard unclear TIMELINE: 18-24 months to determine if SKILL.md becomes cross-platform standard