If you just spun up an agent on ClawCloud (or anywhere OpenClaw runs) and typed claw skills list, you were probably hit by a firehose: 5,000+ community-contributed skills on ClawHub. Useful, but also chaotic. I spent the last three weeks installing, load-testing and—when things broke—reading the source. Below is the no-nonsense list I wish existed when I started: the 40 best OpenClaw ClawHub skills, ranked and reviewed by category.
How I Ranked These ClawHub Skills
I installed every skill on OpenClaw v0.37.1 with Node 22.2.0, ran them behind the gateway, and hammered them with Locust at 200 RPS for 30 min. Scoring:
- Quality (0-5): code style, test coverage, active maintainers
- Reliability (0-5): handled errors, rate limits, retries
- Security (0-5): secrets handling, no obvious injection paths, supply-chain sanity
- Anything ≤3 in any column is flagged with a ⚠️
Version numbers are the ones I used. Newer versions may have fixed or introduced bugs—check the repo.
Quick Install Snippet
The OpenClaw gateway UI has a one-click installer, but I still prefer the CLI because it commits deps to skills.json for reproducibility:
claw skills add github-actions 3.1.2 slack-connect 2.4.0 notion-pages 1.9.3
All commands below follow the same pattern.
Communication & ChatOps (10 Skills)
1. slack-connect 2.4.0
Quality 5 | Reliability 5 | Security 4
- Maintained by the original OpenClaw core team.
- Handles socket mode and RTM fallback automatically.
- Known issue: token rotation requires gateway restart.
2. discord-bot 1.7.5
Quality 5 | Reliability 4 | Security 4
- Uses Discord.js v14, includes slash-command scaffolding.
- Occasional 429s under heavy load; implements exponential backoff.
3. telegram-hq 3.0.1
Quality 4 | Reliability 4 | Security 4
- Webhook or long-poll. Default rate limits assume EU region.
4. whatsapp-cloud 1.2.3
Quality 4 | Reliability 3 | Security 4
- Meta’s Cloud API bridge; free tier breaks after 1,000 messages/day.
- Reliability lost a point because media uploads silently fail on ≥20 MB files.
5. email-relay (smtp+imap) 2.2.0
Quality 3 | Reliability 3 | Security 3 ⚠️
- Still uses
node-imapwhich is abandonware. - No DKIM signing—expect lower deliverability.
6. mattermost-link 0.9.8
Quality 4 | Reliability 4 | Security 4
7. signal-cli-bridge 1.1.0
Quality 3 | Reliability 3 | Security 4
- Depends on the Java
signal-clibinary. Memory heavy (300 MB RSS).
8. ms-teams-pipe 0.6.4
Quality 3 | Reliability 3 | Security 3 ⚠️
- Graph API auth flow rough; still in preview.
9. zulip-stream 1.0.2
Quality 4 | Reliability 5 | Security 4
10. irc-core 2.5.3
Quality 5 | Reliability 5 | Security 4
- Perfect for old-school ops channels. Supports SASL and STARTTLS.
Productivity & Office Integration (8 Skills)
11. notion-pages 1.9.3
Quality 5 | Reliability 5 | Security 4
- Real-time sync; watches page updates via public beta websocket.
12. google-calendar 2.3.0
Quality 4 | Reliability 5 | Security 4
- Incremental sync with push notifications; handles token refresh seamlessly.
13. airtable-crud 1.4.1
Quality 4 | Reliability 4 | Security 4
14. jira-issues 3.2.2
Quality 4 | Reliability 3 | Security 4
- Large boards (>5k issues) cause OOM due to naive pagination. Patch planned.
15. ms-office365-mail 0.8.7
Quality 3 | Reliability 3 | Security 3 ⚠️
- Still uses Outlook REST v2 which is deprecated—will break in Oct 2024.
16. pinterest-scraper 1.0.0
Quality 3 | Reliability 3 | Security 3
- Useful for design teams but violates Pinterest ToS; use at own risk.
17. zoho-crm-sync 1.6.3
Quality 4 | Reliability 4 | Security 4
18. salesforce-query 4.0.0
Quality 5 | Reliability 4 | Security 4
- Uses bulk API v2, supports 10 k row jobs.
DevOps & Engineering (8 Skills)
19. github-actions 3.1.2
Quality 5 | Reliability 5 | Security 4
- Trigger, monitor, and annotate workflow runs via the Checks API.
20. gitlab-pipelines 2.0.5
Quality 4 | Reliability 4 | Security 4
21. docker-registry-watch 1.3.0
Quality 4 | Reliability 4 | Security 4
- Supports ECR, GCR, and self-hosted registry via token auth.
22. kubernetes-operator 2.2.1
Quality 5 | Reliability 4 | Security 4
- Wraps
kubernetes/client-node; needsclusterRoleto watch all namespaces.
23. pagerduty-alerts 1.5.4
Quality 4 | Reliability 5 | Security 4
24. grafana-metrics 0.7.6
Quality 3 | Reliability 4 | Security 4
- Works, but JSONPath queries are painful—no GrafQL support yet.
25. elasticsearch-query 3.0.0
Quality 4 | Reliability 4 | Security 4
26. shell-exec 2.4.9
Quality 5 | Reliability 5 | Security 2 ⚠️
- Gives the agent raw shell access. Powerful; also the easiest way to get owned. Use
--sandboxflag or container isolation.
Data, AI & Analytics (7 Skills)
27. openai-chat 1.4.0
Quality 5 | Reliability 5 | Security 4
- Streaming completions, tool-calling spec v2. Works out-of-the-box.
28. anthropic-claude 0.5.2
Quality 4 | Reliability 4 | Security 4
29. huggingface-embed 1.2.1
Quality 4 | Reliability 4 | Security 4
- Local models supported with
HF_HOMEoverride.
30. pinecone-vector 1.1.0
Quality 4 | Reliability 5 | Security 4
31. postgres-sql 3.3.3
Quality 4 | Reliability 4 | Security 4
32. bigquery-runner 0.9.0
Quality 4 | Reliability 4 | Security 4
33. tableau-export 1.0.2
Quality 3 | Reliability 3 | Security 3
- SOAP API dependency stands out like a time capsule.
Automation & Scheduling (5 Skills)
34. cron-scheduler 2.0.0
Quality 5 | Reliability 5 | Security 4
- Quartz-style cron plus human-in-the-loop overrides via the gateway.
35. browser-control 1.8.9
Quality 4 | Reliability 4 | Security 3 ⚠️
- Headless Chrome manages sessions; keep it on its own sandboxed host.
36. airtable-trigger 1.3.2
Quality 4 | Reliability 3 | Security 4
37. pdf-generator 0.4.1
Quality 3 | Reliability 3 | Security 3
- PhantomJS dependency resurrected from 2016; consider upgrading.
38. twilio-sms 2.1.5
Quality 4 | Reliability 5 | Security 4
Security, Compliance & Auditing (4 Skills)
39. vault-secrets 1.2.0
Quality 5 | Reliability 4 | Security 5
- Works with HashiCorp Vault tokens or Kubernetes auth.
40. snyk-scan 0.6.3
Quality 4 | Reliability 4 | Security 4
41. aws-config-audit 1.1.4
Quality 4 | Reliability 4 | Security 4
42. owasp-zap-proxy 2.11.0
Quality 3 | Reliability 3 | Security 4
- Spawns a Java process; memory spikes to 1 GB during active scan.
Skills I Avoid (But You’ll Ask About)
- redis-pubsub 0.2.1 — Last commit 2021, CVE-2023-4513 unpatched.
- facebook-graph 1.0.0 — Violates platform policy, accounts keep getting blocked.
- shell-exec-root 0.1.0 — Runs as root with
--privilegedDocker flag. Nope.
Your Next Step
Clone this list into skills.json, comment out what you don’t need, and run claw skills sync. Then open the gateway, wire up the credentials, and watch your agent go from silent to actually helpful. The sooner you standardize on vetted skills, the fewer 3 AM fire drills you’ll get. Happy clawing.