How MCP skills work in OpenClaw, navigating the ClawHub marketplace, installing and auditing skills safely.

MCP Skills and ClawHub Guide

MCP (Model Context Protocol) skills are the building blocks that give your OpenClaw agent abilities beyond basic conversation. This guide covers how they work, how to find them, and how to use them safely.

What Are MCP Skills?#

Skills are plugins that extend what your OpenClaw agent can do. Each skill is a directory containing a skill.md file with YAML frontmatter and instructions. When you install a skill, your agent gains new capabilities -- from sending emails to browsing the web to querying databases.

MCP skills are dominating the ecosystem in 2026. The Model Context Protocol, originally developed by Anthropic, has become the standard architecture for OpenClaw skills that interact with external services.

How Skills Work#

[User Message] --> [LLM] --> "I need to check email"
                     |
                     v
              [Skill: gmail-reader]
                     |
                     v
              [Gmail API] --> [Results]
                     |
                     v
              [LLM] --> [Formatted Response]
                     |
                     v
              [User gets email summary]

The LLM decides when to invoke a skill based on the user's message and the skill's description. You do not need to explicitly trigger skills -- the agent figures out which tool to use.

ClawHub: The Skills Marketplace#

ClawHub is the official marketplace for OpenClaw skills. Think of it as an app store for AI agent capabilities.

By the Numbers (March 2026)#

| Metric | Value | |--------|-------| | Total skills | 13,700+ | | MCP-based skills | ~65% | | Free and open-source | Majority | | Most installed category | Productivity | | Security-flagged skills | ~36% |

Searching for Skills#

ClawHub search is powered by embeddings (vector search), not just keywords. You can search by describing what you want in plain language:

# Search by capability
openclaw skill search "read and summarize emails"
openclaw skill search "manage calendar events"
openclaw skill search "scrape web pages"

Installing Skills#

# Install a skill from ClawHub
openclaw skill install <skill-name>

# List installed skills
openclaw skill list

# Update a skill
openclaw skill update <skill-name>

# Remove a skill
openclaw skill remove <skill-name>

Most skills are free and open-source. Some require external API keys (e.g., a Tavily search key, a Gmail app password).

Top Skill Categories#

Productivity#

Notion -- Read and write Notion pages and databases
Linear -- Manage issues, projects, and sprints
Calendar -- Google Calendar, iCal integration
Todoist -- Task management

Communication#

AgentMail -- Email sending and management
Gmail Reader -- Read and summarize emails
Telegram Automation -- Advanced Telegram features

Browser and Web#

Playwright MCP -- Full browser automation via CDP
Web Scraper -- Extract data from web pages
Tavily Search -- Web search with AI-optimized results

Development#

GitHub -- PR management, issue tracking, code review
Shell -- Execute shell commands (use with extreme caution)
File Editor -- Read and write local files

Research and Data#

Web Browser -- Browse and summarize web pages
RSS Reader -- Monitor feeds and news sources
Database -- Query PostgreSQL, MySQL, MongoDB

Building Your Own Skills#

You can create custom skills for your specific needs. A basic skill structure:

my-skill/
  skill.md        # Skill definition and instructions
  config.json     # Optional configuration
  README.md       # Documentation

Example skill.md:

---
name: my-custom-skill
description: Does something specific for my workflow
version: 1.0.0
author: your-name
tools:
  - name: do_something
    description: Performs the custom action
    parameters:
      - name: input
        type: string
        required: true
---

# My Custom Skill

Instructions for the AI on how to use this skill...

Publishing to ClawHub#

# Validate your skill
openclaw skill validate ./my-skill

# Publish to ClawHub
openclaw skill publish ./my-skill

Info

After the ClawHavoc campaign, ClawHub is improving its vetting process. New skills may undergo automated security scanning before publication. Check the latest ClawHub guidelines before publishing.

## Security: Vetting Skills

Given that 36% of ClawHub skills contain security flaws, vetting is essential.

Quick Vetting Checklist#

Check the publisher -- Verified publishers, established GitHub accounts
Check VirusTotal -- Every ClawHub skill has a security scan report
Read the source -- Skills are markdown files; read them before installing
Check the community list -- VoltAgent/awesome-openclaw-skills curates vetted skills
Test in isolation -- Install in a test workspace first

Red Flags#

Skills requesting access to .env files or credentials
Outbound network requests to unfamiliar domains
Modifications to SOUL.md or MEMORY.md
Obfuscated or base64-encoded content
Runtime dependency installation

See our complete Supply Chain Safety guide for detailed vetting procedures.

Skill Management Best Practices#

Start minimal -- Install only the skills you actually need
Review regularly -- Run openclaw security audit after any skill changes
Update often -- Keep skills updated for security patches
Restrict permissions -- Limit what each skill can access in your config
Monitor behavior -- Watch logs for unexpected skill invocations

# Regular maintenance
openclaw skill list              # What is installed?
openclaw skill outdated          # What needs updating?
openclaw security audit          # Any security issues?

Next Steps#

Supply Chain Safety -- Detailed skill vetting guide
First Agent -- Build a workflow using skills
Workflows -- Real-world skill combinations