Skills
skills/sundial-org/awesome-openclaw-skills/clawdhub/Gen Agent Trust Hub

clawdhub

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of the clawdhub package from npm and subsequently downloads agent skills from https://clawdhub.com. Neither the registry nor the package author are on the trusted sources list.
  • REMOTE_CODE_EXECUTION (MEDIUM): The clawdhub install and clawdhub update commands facilitate the retrieval of external code (skills) and their placement into the local file system. If these skills contain executable scripts or sensitive prompts, they would be executed in the agent's context.
  • COMMAND_EXECUTION (LOW): The skill relies on shell commands for package management (npm i -g) and CLI operations, which may require elevated permissions depending on the environment.
  • INDIRECT_PROMPT_INJECTION (LOW): This skill provides an ingestion surface for untrusted data from an external registry.
  • Ingestion points: External skills are downloaded via clawdhub install into the ./skills directory.
  • Boundary markers: None identified; downloaded skills are treated as legitimate instructions/code.
  • Capability inventory: Includes npm installation and arbitrary file writes via the clawdhub CLI.
  • Sanitization: There is no evidence of validation or sanitization of the skills downloaded from the registry.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 01:49 PM