Best OpenClaw Skills in 2026: Vetted, Ranked, and Safe

OpenClaw skills turn your AI agent from a chatbot into a capable digital employee. But not all skills are safe to install. Here is how to find the best ones and avoid the dangerous ones.

OpenClaw's skill system is what makes it more than just a chat interface. Skills are modular extensions that give your agent new capabilities: sending emails, managing calendars, writing code, browsing the web, making phone calls, and interacting with business tools. They are the difference between an agent that can only answer questions and one that can actually do work.

The ecosystem has grown fast. ClawHub, the community marketplace, now hosts over 2,000 skills contributed by developers around the world. Many are genuinely useful. Some are transformative. And some are outright dangerous.

This guide covers the best skills available in 2026, organized by category. More importantly, it covers how to evaluate skills for safety, because the wrong skill can compromise your entire system.

What Are OpenClaw Skills?

A skill is a packaged set of tools, prompts, and configurations that extend what an OpenClaw agent can do. Think of skills like apps for your AI agent. Each skill typically includes:

• Tools: Functions the agent can call (send an email, create a calendar event, query an API)
• Prompts: Instructions that teach the agent how and when to use those tools
• Configuration: Settings, API endpoints, and permission scopes the skill requires

Skills can be simple (a single tool that checks the weather) or complex (a full CRM integration with dozens of tools for lead management, pipeline tracking, and reporting). The best skills feel invisible. The agent just knows how to do something new after a skill is installed.

There are three ways to get skills:

1. Built-in skills: Shipped with OpenClaw itself. These are maintained by the core team and generally safe.
2. ClawHub marketplace: Community-contributed skills. Quality and security vary wildly.
3. Custom skills: Skills you build yourself or have built for your specific use case.

The ClawHub Security Problem

Before recommending any skills, we need to address the elephant in the room: ClawHub has a serious security problem.

In early 2026, security researchers from Snyk discovered what they called the "ClawHavoc" campaign. They found 341 malicious skills on ClawHub designed to steal credentials, exfiltrate data, and install persistent backdoors. The most popular third-party skill on the entire marketplace turned out to be a five-stage malware delivery vehicle. It used a fake npm dependency, obfuscated payloads, and a macOS Gatekeeper bypass to steal browser cookies, passwords, and cryptocurrency wallet data.

That was not an isolated incident. A broader audit revealed that 7.1% of all skills on ClawHub leak credentials in some form. Some do it intentionally (malware). Others do it accidentally (poor coding practices that send API keys through LLM API calls where they end up in provider logs).

ClawHub has since partnered with VirusTotal to scan published skills. This is a genuine improvement, but it is reactive. Skills are scanned after publication, not before. Malicious skills can be live for hours or even days before detection. New obfuscation techniques can bypass automated scanning entirely.

We wrote a detailed analysis of this situation: 341 Malicious Skills, 3 CVEs, and a Government Warning: The State of OpenClaw Security.

This does not mean all ClawHub skills are dangerous. Many are excellent. But it does mean you need to evaluate every skill carefully before installing it. The rest of this guide will help you do exactly that.

OpenClaw Built-In Skills: What Comes Pre-Installed

Before installing anything from ClawHub, it helps to know what OpenClaw ships with out of the box. Built-in skills are maintained by the OpenClaw core team and do not require separate installation.

OpenClaw's built-in capabilities include web browsing (fetch and read any URL), file system access (read, write, and organize files in the workspace), code execution (run Python, JavaScript, and shell commands in a sandbox), calendar access on supported platforms, and email reading on configured accounts.

These built-in skills cover most basic productivity tasks. The ClawHub marketplace exists for specialized integrations: connecting to external services like GitHub, Slack, CRMs, scheduling tools, and voice platforms.

On ClawTrust, every agent ships with six pre-vetted skills installed on top of the built-ins: clawtrust-core (system integration), clawtrust-credentials (secure credential proxy), clawtrust-email (agent email identity), github-developer (GitHub automation), cal-com-scheduling (calendar management), and vapi-voice-agent (phone call handling).

Best OpenClaw Skills by Category

We evaluated skills across six categories based on functionality, code quality, maintenance activity, permission scope, and security posture. Each skill gets a safety rating:

• Safe: Built-in or well-audited, minimal permissions, active maintenance
• Caution: Useful but requires careful configuration or has broad permissions
• Avoid: Known security issues, abandoned, or unnecessary permission requests

Communication Skills

Communication skills connect your agent to messaging platforms. These are among the most useful and most popular skills in the ecosystem.

The built-in messaging plugins (Telegram, Slack, Discord, WhatsApp) are the safest options for communication. They are maintained by the OpenClaw core team and receive regular security updates. Always enable DM pairing on messaging channels to require approval before the agent responds to new contacts.

Productivity Skills

Productivity skills handle scheduling, task management, and organizational workflows.

Cal.com is a standout here. It is open-source, well-documented, and the API permissions are naturally scoped to scheduling operations. Google Calendar works well but demands broader OAuth scopes, so use a credential broker to keep tokens off the agent's server.

Development Skills

Development skills give your agent the ability to interact with code repositories, CI/CD pipelines, and development workflows.

GitHub integration is one of the most valuable skills for development teams. Use fine-grained tokens scoped to specific repositories rather than classic tokens with broad access. For code execution, ensure the sandbox is properly configured. An unsandboxed code execution skill is essentially giving an AI agent a shell on your server. Read our security hardening guide for sandbox configuration details.

Business Skills

Business skills connect your agent to CRM systems, invoicing tools, and other commercial platforms.

Business skills require extra scrutiny because they often handle sensitive commercial data. CRM integrations touch customer lists, deal values, and communication histories. Any skill that accesses financial APIs (Stripe, QuickBooks, etc.) should be considered high-risk and audited line by line before installation. A credential broker is essential here to keep API keys off the agent's server.

Research Skills

Research skills enable your agent to gather information from the web, analyze documents, and extract structured data.

Browser automation is one of the most requested capabilities. It lets your agent navigate websites, fill out forms, and extract information. It is also one of the higher-risk skills because visited web pages can contain prompt injection attacks. Always run browser automation inside a sandbox, and be cautious about letting the agent visit untrusted URLs.

Voice Skills

Voice skills enable your agent to make and receive phone calls, acting as a voice assistant.

Voice is an emerging category for OpenClaw skills. VAPI integration is the most mature option, enabling your agent to handle phone calls for appointment scheduling, customer support, and lead qualification. Be mindful of rate limiting, as an unconstrained voice agent could rack up significant telephony costs.

How to Evaluate a Skill Before Installing

Whether you find a skill on ClawHub or get it from a third-party repository, run through this evaluation process before installation. Not every skill is malicious, but even well-intentioned skills can have security flaws.

The 5-Point Skill Safety Checklist

1. Check the author's track record. Who published this skill? Do they have other well-maintained projects? A skill from an unknown author with no other public work deserves more scrutiny than one from an established developer with a history of contributions.
2. Read the source code. OpenClaw skills are open source. Read the code. Specifically, look at what network calls the skill makes, what data it sends, and where it sends it. Any outbound requests to unfamiliar domains are a red flag.
3. Check for unnecessary permissions. A calendar skill should not need access to your filesystem. A search skill should not need write permissions. If a skill requests permissions that do not match its stated purpose, that is suspicious.
4. Look for hardcoded URLs or data exfiltration patterns. Search the code for hardcoded URLs, base64-encoded strings, and obfuscated code. The ClawHavoc malware used obfuscated payloads and fake npm dependencies. Legitimate skills do not need to hide what they are doing.
5. Check install count and community feedback. High install counts with positive community feedback are a good sign, but not foolproof. Remember, the most popular third-party skill on ClawHub was malware. Use community feedback as one signal among many, not as the sole indicator.

If a skill fails any of these checks, do not install it. The convenience of a single skill is never worth the risk of compromising your agent, your credentials, or your customers' data.

Red Flags to Watch For

• Skills that require your API keys to be stored in their configuration files (instead of using environment variables or a credential broker)
• Minified or obfuscated JavaScript in the skill package
• Skills that install additional npm dependencies you did not expect
• Outbound HTTP calls to domains unrelated to the skill's stated purpose
• Skills that request shell access or filesystem write permissions without a clear reason
• Recently published skills with suspiciously high download counts

The Pre-Vetted Alternative: ClawTrust's Curated Skills

ClawTrust takes a different approach to skills. Instead of connecting to ClawHub's open marketplace, we deploy a curated set of pre-vetted skills on every agent.

6 Pre-Vetted Skills on Every ClawTrust Agent

Every ClawTrust agent ships with six skills that have been audited for security, data handling, and permission scope:

1. ClawTrust Core: Platform integration, health reporting, configuration management. This is the foundation skill that connects your agent to the ClawTrust control plane.
2. ClawTrust Credentials: Secure credential access through our vault. Your agent requests credentials through this skill, and the control plane injects them at the proxy layer. The agent never sees the underlying passwords or API keys.

ClawTrust also ships with a runtime EDR layer that monitors tool usage continuously. Every tool call - including credential requests - is evaluated against behavioral rules before execution. If an installed skill attempts unusual credential access patterns or triggers a MITRE ATT&CK indicator, the activity is flagged and logged before it completes. This gives you an audit trail not just of what credentials were accessed, but of the full context: which tool requested them, from which session, and whether the request matched expected behavior for your agent.

3. ClawTrust Email: Professional email identity with send/receive capabilities. Available on Pro and Enterprise tiers. Uses dedicated email infrastructure separate from platform communications.
4. GitHub Developer: Repository management, PR reviews, CI/CD monitoring, and issue tracking. Configured with fine-grained tokens scoped to your specific repositories.
5. Cal.com Scheduling: Appointment booking, availability checking, and calendar management. Ideal for service businesses that need automated scheduling.
6. VAPI Voice Agent: Inbound and outbound phone call handling with voice-to-text and call routing. Enables your agent to handle phone-based customer interactions.

What We Audit For

Every skill deployed on ClawTrust goes through a four-point audit:

• Data handling: Where does data go? Is anything sent to external servers that should not be? Are logs sanitized to prevent credential leakage?
• Permissions: Does the skill request only the permissions it needs? Are scopes minimized?
• Network calls: What outbound connections does the skill make? Are they all to expected, documented endpoints?
• Credential access: How does the skill handle API keys and tokens? Does it use environment variables or a credential broker, or does it store secrets in plaintext?

Skills that fail any part of this audit are not deployed. Period.

Custom Skills on Enterprise

Enterprise tier customers can request custom skills tailored to their specific business needs. These go through the same audit process as our standard skills. If you need an integration that we do not currently offer, we build it, vet it, and deploy it to your agent. No ClawHub dependency, no marketplace risk.

Building Custom Skills

Sometimes the skill you need does not exist. OpenClaw's skill format is straightforward, and building a custom skill is a practical option for teams with specific requirements.

Skill Format Overview

An OpenClaw skill is a directory containing:

• skill.json or skill.yaml: Metadata, description, and configuration schema
• tools/: Tool definitions (functions your agent can call)
• prompts/: System prompts and instructions for the agent
• README.md: Documentation for users

Tools are defined as JSON schemas describing their inputs, outputs, and descriptions. The agent uses these schemas to understand when and how to invoke each tool. Prompts provide context about when to use the skill and how to interpret results.

When to Build vs. Use Existing

Build a custom skill when:

• You need to integrate with a proprietary internal API
• Existing skills request permissions broader than what you are comfortable granting
• You need precise control over how data flows between your agent and external services
• No existing skill covers your use case

Use an existing skill when:

• A well-maintained, audited version exists (built-in or from a trusted source)
• The permission scope is appropriate
• The skill has active maintenance and security patch history
• Building a custom version would duplicate effort without improving security

Security Considerations for Custom Skills

When building your own skills, follow these practices:

• Never hardcode credentials. Use environment variables or a credential broker.
• Minimize permissions. Request only the API scopes your skill actually needs.
• Sanitize outputs. Strip sensitive data from tool responses before they enter the LLM context window. API keys, tokens, and PII in the context window can leak through generated responses.
• Validate inputs. Treat all tool inputs as untrusted. The agent's inputs are ultimately derived from user messages, which could contain prompt injection attempts.
• Avoid shell commands. If your skill needs to execute system commands, use a sandboxed execution environment. Never pass unsanitized input to a shell.
• Log carefully. Do not log credential values, API keys, or PII. Log tool invocations and results at a level that supports debugging without exposing secrets.

Skill Ecosystem: Where Things Are Heading

The OpenClaw skill ecosystem is maturing rapidly. A few trends worth watching:

• Verified publisher program: ClawHub is rolling out publisher verification, similar to app store verified badges. This will not eliminate malicious skills, but it adds an accountability layer.
• Sandboxed skill execution: Upcoming OpenClaw versions are expected to improve per-skill sandboxing, limiting what each skill can access on the host system.
• MCP (Model Context Protocol) convergence: Many skill authors are building MCP-compatible tools that work across multiple agent platforms. This broadens the ecosystem beyond OpenClaw-specific skills.
• Enterprise skill registries: Companies are starting to run private skill registries, similar to private npm registries, to control what skills can be installed on corporate agents.

The direction is positive. The ecosystem is becoming more secure and more standardized. But today, in February 2026, the responsibility for skill safety still falls primarily on the operator.

Frequently Asked Questions

What are the best OpenClaw skills for business use?

The best business-oriented OpenClaw skills are communication plugins (Slack, Telegram, WhatsApp), scheduling integrations (Cal.com), GitHub for development workflows, and CRM connectors (HubSpot, Salesforce). For security-critical deployments, use pre-vetted skills from a managed provider like ClawTrust rather than unaudited marketplace options.

Are OpenClaw skills safe to install?

It depends on the source. Built-in skills maintained by the OpenClaw core team are generally safe. Community skills on ClawHub vary widely. Security researchers found 341 malicious skills and determined that 7.1% of marketplace skills leak credentials. Always audit skills before installation, or use a managed platform that deploys pre-vetted skills.

How do I install OpenClaw skills?

Skills can be installed by placing them in the OpenClaw skills directory, referencing them in your configuration file, or installing them through ClawHub's marketplace. On managed platforms like ClawTrust, skills are pre-installed and configured for you. For self-hosted instances, download the skill repository, review the code, and add the skill path to your OpenClaw configuration.

What is ClawHub and is it safe?

ClawHub is the community marketplace for OpenClaw skills. It hosts over 2,000 skills contributed by developers worldwide. While many skills are legitimate and useful, the marketplace has had significant security issues. The ClawHavoc campaign planted 341 malicious skills, and 7.1% of skills were found to leak credentials. ClawHub now uses VirusTotal scanning, but detection is reactive, not preventive.

Can I build my own OpenClaw skills?

Yes. OpenClaw's skill format is open and well-documented. A skill is a directory containing tool definitions (JSON schemas), prompts, and metadata. Building custom skills gives you full control over permissions, data handling, and security. This is the best approach for proprietary integrations or when existing marketplace options do not meet your security requirements.

How many skills can an OpenClaw agent run at once?

There is no hard limit on the number of skills, but practical limits depend on your server resources and context window size. Each skill adds tools and prompts to the agent's context. Running 10-15 skills simultaneously is typical for production agents. Beyond that, performance can degrade as the context window fills with tool definitions. Focus on installing only the skills your agent actually needs.

What is the difference between OpenClaw skills and plugins?

In OpenClaw, "skills" and "plugins" are sometimes used interchangeably, but they serve different purposes. Plugins are built-in extensions that handle core functionality like messaging channels (Telegram, Slack, Discord). Skills are modular packages that add new tool capabilities. Plugins are part of the OpenClaw codebase. Skills are installable add-ons from ClawHub, custom builds, or managed providers.

Do ClawTrust agents use ClawHub?

No. ClawTrust does not install skills from ClawHub. Every ClawTrust agent ships with six pre-vetted skills that have been audited for data handling, permissions, network behavior, and credential access. Enterprise customers can request custom skills that go through the same audit process. This eliminates the supply chain risk associated with open marketplace skills.

Conclusion

OpenClaw's skill ecosystem is one of its greatest strengths and one of its biggest risks. The right skills transform your agent from a conversational novelty into a genuine digital employee. The wrong skills can compromise your credentials, expose your customers' data, and create liabilities you did not know existed.

The safest approach is to start with built-in skills and vetted options, evaluate any marketplace skills through the 5-point checklist, and use a credential broker to keep API keys off the agent's server. If you would rather skip the evaluation process entirely, ClawTrust deploys pre-audited skills on every agent with no ClawHub dependency.

For more on OpenClaw security, read our deep dive on the 341 malicious skills found on ClawHub and our complete security hardening guide. You can also review our security architecture to understand how ClawTrust protects your agent at every layer.

Chris DiYanni is the founder of ClawTrust. Previously at Palo Alto Networks, SentinelOne, and PagerDuty. He builds security infrastructure so businesses can trust their AI agents with real work.