Home OpenClaw Skills Guide

Last updated: 2026-04-06

OpenClaw Skills Guide: Write Your Own

ClawHub lists over 50,000 community-published skills. We can't review them — and roughly 12% of the major public registry was found to contain malicious code in early 2026. Our philosophy: the safest skill is one your agent wrote for you. This guide teaches you exactly how to do that.

Why We Don't Link to Third-Party Skills

OpenClaw skills are small Node.js packages that can make network calls, read and write files, and execute shell commands on your machine. An unsafe skill is essentially malware with a friendly API. In early 2026, security researchers auditing a major public registry found that roughly 1 in 8 skills contained code designed to exfiltrate credentials or pivot to other systems on the same network.

The OpenClaw core team publishes 53 official skills. We review and link to those — see the Skills Database. Everything else, we point you toward writing yourself.

This isn't a limitation — it's an advantage. A skill your agent writes for you takes about 60 seconds to generate, does exactly what you want, nothing more, and you understand every line of it before it runs.

Before installing any third-party skill

Read the full source. Run openclaw skill verify <name> to check signatures against the official registry. If it's not in the official 53, ask yourself: do you know who wrote it and why? If not, have your agent write it instead.

Step-by-Step: Have Your Agent Write a Skill

  1. Describe exactly what you want. Be specific: what are the inputs? What should the output look like? Does the skill need to make network calls — and if so, to which domains specifically? Does it need file access — and if so, to which paths?
  2. Paste the prompt template below into your agent via any connected channel (WhatsApp, Telegram, Discord, or the web UI).
  3. Review the code before installing. Ask the agent to walk through every function and explain what it does. If it can't explain something, that's a red flag — ask it to rewrite that part more simply.
  4. Test in isolation: 
    openclaw skill test <skillname>
    This runs the skill in a sandboxed environment without enabling it globally.
  5. Iterate. Ask the agent to add error handling, timeouts, logging, or scope restrictions. Narrower is always safer.

Copy This Prompt

Paste this into your agent — replace the bracketed parts with your specifics:

"Write me an OpenClaw skill that does [describe the task clearly].

Requirements:
- No external network calls unless I explicitly list the domains here:
  [list approved domains, or write 'none' for a fully local skill]
- No file access outside this path: [your project directory]
- Include full error handling — if something fails, return a
  descriptive error string instead of crashing
- Add a JSDoc comment above each function explaining what it does
  and what it returns
- Output the complete skill as: one index.js file + one package.json
- Do NOT use any dependencies that aren't in the Node.js standard
  library unless you explain exactly why one is needed

Before I install it, walk me through:
1. What each function does
2. Every external call or file path the skill touches
3. Any edge cases where it could behave unexpectedly"

Ready-to-Use Starter Prompts

These are pre-filled versions of the template above for common use cases. Copy, adjust the bracketed parts, and paste into your agent.

Weather Summary

"Write an OpenClaw skill that fetches a 3-day weather forecast
for [your city, e.g. 'Austin, Texas'] from Open-Meteo
(api.open-meteo.com only — no API key required).
Return a plain-text summary: today's high/low + conditions,
tomorrow, and the day after. No file access needed.
Walk me through each part before I install it."

Daily Task Digest

"Write an OpenClaw skill that reads a plain-text todo.txt file
from [your path, e.g. ~/tasks/todo.txt].
Return today's incomplete tasks (lines not starting with 'x '),
sorted by priority prefix: !!! first, then !!, then !.
No network calls. No writes to the file — read-only.
Walk me through each part before I install it."

Shell Command Wrapper

"Write an OpenClaw skill that runs this shell command:
[your exact command, e.g. 'df -h']
and returns stdout as a string. Constraints:
- Hard-code the command — do not accept user input as a command string
- 30-second execution timeout
- If exit code is non-zero, return stderr instead
No network access, no file writes.
Walk me through each part before I install it."

Log Monitor

"Write an OpenClaw skill that reads the last 100 lines of
this log file: [your log path, e.g. /var/log/app/app.log]
and returns any lines containing ERROR, CRITICAL, or FATAL.
If no matching lines, return 'No issues found'.
Read-only file access, no network calls.
Walk me through each part before I install it."

GitHub PR Summary

"Write an OpenClaw skill that calls the GitHub API
(api.github.com only) to list the last 5 open pull requests
for repo [owner/repo, e.g. 'vercel/next.js'].
Return PR number, title, author, and creation date as plain text.
Use this GitHub token from the environment variable GITHUB_TOKEN.
No file access. Walk me through each part before I install it."

After Your Agent Writes the Skill

Once you're satisfied with the code review:

# Save the code to a local directory
mkdir -p ~/.openclaw/skills/my-skill
# (paste index.js and package.json into that directory)

# Install from local path
openclaw skill install --local ~/.openclaw/skills/my-skill

# Verify it passes the sandbox checks
openclaw skill test my-skill

# Enable globally
openclaw skill enable my-skill

You now have a skill that does exactly what you designed, with no unknown third-party code running on your machine.

← Back to OpenClaw hub · See also: Skills Database (53 Official) · Security Hardening