TL;DR: Run
openclaw skills installto add any ClawHub skill. Use--allow-toolsto restrict what a skill can touch, test it withopenclaw run --sandbox, and log the usage note in your AGENTS.md file. The full safe install takes about five minutes per skill.
Installing OpenClaw skills unlocks a lot of capability fast. You can add web scrapers, email summarizers, code reviewers, and data pipeline skills, all from the same ClawHub directory, without building anything from scratch.
The catch is that most guides stop at “run the install command” and skip the parts that actually matter: what gets installed, which permissions you should restrict, and how to confirm the skill is working before you let it loose on real data. This guide covers that full arc.
If you already understand how the OpenClaw agent loop works, you know that skills extend what the loop can do by registering new tools. Every registered tool is a potential action the agent can take, so the install step is really a permission decision as much as a software decision.
The good news is that OpenClaw’s CLI gives you enough control to install skills safely by default. You just need to know which flags to use. This guide walks through each step in order.
How to Find Skills on ClawHub Worth Installing
Start on the ClawHub directory, filter by the Verified badge, then sort by Most Installed. Verified skills have had their tool manifest reviewed. Sorting by installs surfaces skills with real usage history rather than brand-new submissions.
Go to clawub.io (or the ClawHub tab inside your OpenClaw dashboard) and use the category filter on the left. Categories include Productivity, Web, Data, Code, Communication, and Finance. Pick the category that matches your use case.
Once you have results, set the sort to “Popular” and look for the blue Verified badge. That badge means someone on the ClawHub team has reviewed the skill’s manifest, but it is not a security audit. Treat it as a baseline signal, not a guarantee.
Read the skill’s README before installing. Look for what tools it requests in the manifest, whether the author has other published skills, and whether the Issues tab shows unresolved problems. Five minutes here saves a lot of cleanup later.
The Exact Command Sequence for a Safe Install
The full safe install runs five commands in order: inspect the manifest, install with restricted permissions, list installed skills, run in sandbox, then run verbose to verify behavior.
Here is the numbered sequence for installing any skill safely:
- Inspect the manifest before touching anything.
openclaw skills inspect <skill-name>This prints the tool manifest without installing anything. You can see exactly which tools the skill registers and what permissions it requests by default.
- Install with explicit tool restrictions.
openclaw skills install <skill-name> --allow-tools file_read,web_getThe --allow-tools flag sets a deny-by-default policy. Only the tools you list are available to the skill. Anything not listed is blocked at the runtime level, not just by convention.
- Confirm the skill appears in your list.
openclaw skills listThis shows every installed skill and its permission scope. Check that the permissions shown match what you passed to --allow-tools.
- Test in sandbox mode before using real data.
openclaw run --sandbox <skill-name>Sandbox mode limits file writes to a temporary directory and blocks outbound network calls to anything outside a permitted list. Run your intended task here first.
- Run a verbose session to verify actual tool calls.
openclaw session --verboseThis logs every tool call the agent makes in real time. Watch the output during your first real run. If the skill is trying to call tools you did not allow, the session log shows the blocked attempt, and you can tighten permissions further.
Skills are installed to ~/.openclaw/skills/. Each skill gets its own subdirectory named after the skill slug.
Inside that directory, you will find the manifest file (skill.json), the skill’s instruction set, and any bundled prompts or templates the skill uses.
Understanding Tool Permissions Before You Install
The --allow-tools flag takes a comma-separated list of permission types. Grant only what the skill needs for its stated purpose. A web research skill does not need file_write or bash.
Here is a reference table for the permission types OpenClaw supports:
| Permission | What it allows | Safe to grant |
|---|---|---|
file_read | Read files from your filesystem | Yes, for most skills |
file_write | Create or overwrite files | Only if skill needs to save output |
web_get | Fetch URLs and read responses | Yes, for web/research skills |
web_post | Send POST requests to external services | Only if skill submits data somewhere |
bash | Run arbitrary shell commands | Rarely. High risk. Review manifest first. |
email | Read or send email via connected accounts | Only for explicitly email-focused skills |
The bash permission is the one to be most careful about. A skill with bash access can run system commands with the same privileges as your user account.
Recent coverage of autonomous agent behavior, including a reported incident where an AI agent deleted emails while operating unsupervised, illustrates why scoping permissions at install time is not optional housekeeping. It is the main control you have.
If you are unsure what a skill actually needs, start with the minimum set and add permissions only when the skill fails with a clear permission error.
Before and After Permission Scoping in Practice
Installing without --allow-tools grants the skill whatever permissions its manifest requests by default. Adding the flag restricts it to exactly what you specify. The difference is significant for skills that request broad access.
Before (no permission scoping):
openclaw skills install clawfetch-summarizerThe manifest for clawfetch-summarizer requests fileread, filewrite, webget, and webpost. All four are granted by default. The skill can now write files and post data to external URLs.
After (explicit scoping):
openclaw skills install clawfetch-summarizer --allow-tools file_read,web_getNow the skill can read files and fetch URLs, but cannot write files or post data anywhere. If the summarizer tries to save output to disk, it gets a permission error. You handle the output yourself, explicitly.
This matters most for skills that combine web access with file or email permissions. You can read about documented ClawHub skill security risks if you want more context on the specific risk patterns these permission types create.
How to Configure AGENTS.md for Each Installed Skill
AGENTS.md is where you write skill-specific usage instructions that the agent reads at the start of every session. Add one entry per installed skill describing what it does, when to use it, and any limits you want enforced.
After installing a skill, open your project’s AGENTS.md (or create one at the project root) and add a section for it. Here is a concrete example for a research skill:
## clawfetch-summarizer
Use this skill when asked to summarize content from a URL.
- Permitted tools: file_read, web_get (no file_write, no web_post)
- Do NOT use this skill for internal URLs or anything behind a login
- Output summaries to the terminal only, do not save to disk unless explicitly asked
- If the URL returns an error, stop and report it rather than retrying automaticallyThe AGENTS.md entry does two things. First, it tells the agent when it is appropriate to call this skill. Second, it sets behavioral boundaries in plain language that the agent reads as context.
This complements the hard permission limits set at install time.
Keep entries short. Two to four bullet points per skill is enough. The goal is to make the intended use unambiguous, not to write a full spec.
Removing a Skill and What Gets Cleaned Up
Run openclaw skills remove to uninstall. The CLI removes the skill directory from ~/.openclaw/skills/, deregisters its tools from the active session, and removes it from the skills list. AGENTS.md entries are not removed automatically.
openclaw skills remove clawfetch-summarizerAfter the command runs, verify with openclaw skills list that the skill no longer appears. Then remove the corresponding AGENTS.md entry manually.
Leaving stale AGENTS.md entries causes the agent to reference a skill that no longer exists, which can trigger an agent looping fix situation where it tries to call a missing tool repeatedly.
Skills do not leave residual config or credential files in most cases. If the skill you installed required an API key and you stored it in your environment, you may want to revoke that key separately as a cleanup step.
Frequently Asked Questions
The most common questions about OpenClaw skill installation cover file locations, permission errors, and how to handle updates safely.
Where are OpenClaw skills stored after installation?
Skills install to ~/.openclaw/skills/ on Linux and macOS. On Windows the default path is %USERPROFILE%\.openclaw\skills\. Each skill gets a subdirectory matching its slug. Inside you will find skill.json (the manifest), the instruction files, and any templates.
Can you install multiple skills at once?
You can run multiple openclaw skills install commands in sequence, but there is no batch install flag in the current CLI. For teams deploying the same skill stack across machines, the standard approach is a setup script that runs each install command with its --allow-tools flag already specified.
What happens if a skill requests a permission I did not include in –allow-tools?
The skill gets a permission denied error at runtime. The session log records the blocked tool call. You can either re-install with the additional permission if the tool call is legitimate, or leave the restriction in place if the skill should not need that access.
Do Verified skills on ClawHub get updated automatically?
Skill updates do not install automatically. You would need to run openclaw skills install again to pull the latest version. Check the ClawHub listing for a changelog before updating, since a new version may request different permissions.
How do you keep skill API costs under control?
Skills that make repeated web or API calls can generate unexpected costs if they run in loops. Running with openclaw session --verbose lets you see how many tool calls a skill is making per task. For broader cost management, the OpenClaw cost management guide covers session budgets and call limits.
Is there a managed option if I do not want to handle installation myself?
Yes. ClawTrust AI is a managed service that handles skill installation, permission configuration, and monitoring for you. It is worth considering if you are deploying skills across multiple projects or do not want to manage the permission flags manually.
Quick Takeaways – Run
openclaw skills inspectbefore installing anything to read the tool manifest. – Always use--allow-toolsto restrict permissions to only what the skill needs. – Test every new skill withopenclaw run --sandboxbefore using it on real data. – Add an AGENTS.md entry for each skill with its permitted tools and usage limits. – Useopenclaw session --verboseduring early runs to watch actual tool calls in real time. – Remove stale AGENTS.md entries after uninstalling a skill to prevent agent looping.
