Top 20 Must-Install ClawHub Skills (Security Filtered)
Claw
Top 20 Must-Install Skills on ClawHub (Sorted by Downloads, Suspicious Hidden)
Last Updated: 2026-03-06
Selection Methodology (How I picked these)
- Primarily based on the Downloads ranking via the ClawHub tracker (
/skills?sort=downloads). - Enabled the Hide suspicious toggle on the page to filter out untrusted content, then picked the top 20.
- Combined findings from each skill's Security Scan, runtime dependencies (bins/env), and provided an "Is it worth installing?" rating based on potential risks like metadata inconsistency, hidden telemetry, or high-privilege install commands.
Security Warning: ClawHub has experienced malicious supply chain events in the past. Even for high-download skills, it is strongly recommended that you click into the details page to review the Security Scan,
SKILL.md, and check the comments section for warnings like "Don't run this script" before executing.
The Top 20 List (Priority & Install Recommendations)
Generic Install Command (OpenClaw/ClawdHub System):
- CLI:
openclaw install <slug>- Alternatively, download the ZIP from the web details page or manually install following
SKILL.md.
| # | Skill | Slug | One-line Purpose | Dependencies / Keys | Risks & Recommendations | Details Link |
|---|---|---|---|---|---|---|
| 1 | self-improving-agent | self-improving-agent | Stores errors/corrections/experience as .learnings/, creating a continuous improvement loop | No extra keys | Highly Recommended: Improves long-term AI quality; just be careful not to write sensitive info to persistent files | |
| 2 | Tavily Web Search | tavily-search | Agent-oriented web search/extraction via Tavily API | node; TAVILY_API_KEY | Recommended: Lighter than a full headless browser; Note that queries/URLs are sent to Tavily; monitor key permissions and billing | |
| 3 | Find Skills | find-skills | Helps "find if an existing skill exists" and gives install commands | npx skills (Runs remote code at runtime) | Use with Caution: It guides the agent to install globally via npx ... -g -y, which is high risk; Better to enforce "Show command → User confirms → Then install" | |
| 4 | Gog | gog | CLI for Google Workspace (Gmail/Calendar/Drive/Sheets/Docs, etc.) | OAuth credentials; Needs local gog | Recommended (Must-have if using Google): A "Super Connector"; The initial OAuth configuration is slightly tedious | |
| 5 | Summarize | summarize | Uniform summarization of URLs/PDFs/Images/Audio/YouTube | summarize CLI; Model API key (OpenAI/Anthropic/Gemini…) | Recommended: Extremely versatile; Content will be sent to your chosen Model/extraction service; verify the CLI's installation source first | |
| 6 | Github | github | Manages issues/PRs/CIs/runs/API using the gh CLI | gh (login or token required) | Recommended: High frequency for developers; ensure the token has minimal permissions | |
| 7 | Weather | weather | Keyless weather forecasts (wttr.in / open-meteo) | curl | Recommended: Simple and usable; Location queries are sent to third-party weather services | |
| 8 | Proactive Agent | proactive-agent | An "Operating System" utilizing Proactive + WAL/Working buffers/Security hardening | No hard dependencies | Recommended but requires your rules: The documentation has conflicting verbiage around "Do it without asking" vs "Requires external approval". Enforce confirmation gates for external actions | |
| 9 | Sonoscli | sonoscli | Controls Sonos speakers (discovery/play/volume/groups) | sonos; Might require Go; Optional Spotify key | Niche Recommendation: Great for smart-home setups; Flagged as suspicious due to metadata inconsistencies, review SKILL.md / install source first | |
| 10 | Notion | notion | Read/write pages and DBs utilizing the Notion API | Notion integration key (local file) | Recommended (For heavy Notion users): API headers/versions are preset; Be careful with where you store the secret key | |
| 11 | Nano Pdf | nano-pdf | Allows the agent to use natural language to "edit a specific PDF page" | nano-pdf (recommend uv tool install nano-pdf) | Recommended (For writers/reviewers): Run a test on small files first and verify output | |
| 12 | Obsidian | obsidian | Operates an Obsidian vault (Searches/Creates/Moves/Deletes) | obsidian-cli; macOS biased | Caution: Scans ~/Library/.../obsidian.json to find vaults; Flagged suspicious due to metadata inconsistencies; Highly recommend testing on a "dummy vault" first | |
| 13 | Nano Banana Pro | nano-banana-pro | Image generation/editing (Gemini 3 Pro Image) | uv; GEMINI_API_KEY | Caution: Good functionality but flagged suspicious due to undocumented keys/dependencies; Audit script and run isolated | |
| 14 | Humanizer | humanizer | Modifies "AI-sounding" text to be more natural (Wikipedia rules based) | None | Recommended (Writing essential): Purely instruction-based, low risk; perfect for final polish | |
| 15 | API Gateway | api-gateway | Connects 100+ APIs via Maton OAuth aggregation | MATON_API_KEY | Recommended (Heavy SaaS automation): The key has massive privileges (equivalent to your Maton account); Suggest limiting the connection scope or using a dedicate account | |
| 16 | Openai Whisper | openai-whisper | Local Whisper CLI speech-to-text (API-free) | whisper (via brew); Model weights require disk space | Recommended: Excellent for private, local transcription; Note disk spacing and initial heavyweight model downloads | |
| 17 | OpenClaw YouTube Transcript | openclaw-youtube-transcript | Grabs subtitles straight via yt-dlp (No audio model required) | python3 + yt-dlp; Can set DISABLE_TELEMETRY=1 | Caution: Deposits telemetry to the author's server by default, and it's over HTTP (not HTTPS); Must set DISABLE_TELEMETRY=1 or rip code manually | |
| 18 | Brave Search | brave-search | Browserless search + extraction (Implemented by scraping Brave HTML) | npm ci (Installs packages) | Caution: The documentation claims it needs a BRAVE_API_KEY but the code doesn't use it; Inconsistency between capabilities and claims. Suggest using a different search skill | |
| 19 | Mcporter | mcporter | MCP toolkit: Lists tools/Invocations/Auth/Types generation | mcporter (npm package) | Advanced Recommendation: Can run --stdio execution subprocesses which holds immense privileges; Only run in trusted environments | |
| 20 | Free Ride - Unlimited free AI | free-ride | Auto-selects/falls back to OpenRouter free models and overwrites OpenClaw configs | OPENROUTER_API_KEY; Rewrites ~/.openclaw/openclaw.json | Caution but highly useful: Back up config first; Ensure your OpenClaw ver/model names are compatible; prevent untrusted agents from exposing the key |
My "Installation Sequence" Guidelines (Pain-Free Route)
- Establish the General Base:
self-improving-agent+summarize+github+weather - Setup Your Dominant Platform Connectors:
gog(Google) /notion/api-gateway - Fill Context Gaps (Scenario Based): Writing >
humanizer; Audio >openai-whisper; PDF >nano-pdf; Search >tavily-search - Touch with Caution (High Privileges / Telemetry / Meta-issues):
find-skills/obsidian/nano-banana-pro/openclaw-youtube-transcript/brave-search/mcporter/free-ride
Sources
- Skills Directory (Sorted by Downloads, Hide suspicious ON):
- Individual Skill Pages: See the "Details Link" column in the table above.