OpenClaw Skills Installation Guide: Tested List & Risk Mitigation Strategies

The open ecosystem of OpenClaw has made it a focal point in the AI assistant landscape, but this openness brings significant security risks. This guide addresses a core question: How can users enjoy the powerful OpenClaw ecosystem while precisely identifying and avoiding malicious plugins to build a secure, efficient AI environment? Based on tested data, we provide a reliable list of Skills and a detailed deployment plan.

Image Source: Article Attachment

The Hidden Landmines Behind Ecosystem Prosperity

In 2026, the OpenClaw Skill ecosystem became its core competitive advantage, but it also became a “honey pot” for hackers. Security audit data is staggering: Koi Security identified at least 341 malicious Skills, Bitdefender scans revealed safety issues in nearly 20% of plugins, and VirusTotal analysis of 3,016 Skills uncovered hundreds with malicious characteristics.

These malicious plugins often disguise themselves as high-frequency utility tools like “crypto wallet trackers” or “YouTube summary tools,” quietly stealing API Keys in the background or even opening reverse shells to control user devices. For novices, installing Skills without discrimination is akin to opening the door to thieves. Therefore, establishing a security selection logic is more important than blindly pursuing functionality.

Author’s Insight:
In the process of trying out new technologies, we often overlook the boundaries of “permissions.” Since an AI assistant can send emails and manipulate files for us, it possesses the capacity for destruction. Security relies not only on the defense of the tool itself but also on the selection wisdom of the user. Do not let the “sharp blade” of enhanced functionality become a “landmine” that damages your system.

The Three-Step Security Selection Method

Before installing any non-official Skill, it is recommended to strictly execute the following three steps. This filters out over 90% of potential risks:

1. Check Reports: Use tools like VirusTotal to scan plugin packages and confirm no malicious characteristics exist.
2. Check Repositories: Ensure there is a public GitHub source code repository with substantive code, not just an empty shell or a README file.
3. Read Documentation: Review whether the documentation is professional and if there are excessive permission requests or requirements to execute suspicious scripts (like curling external scripts).

Based on this methodology, we categorize Skills into four tiers for recommendation and analysis.

Tier 1: Official Built-in Skills (Security Level ⭐⭐⭐⭐⭐)

These are the highest priority choices for security. Maintained by the OpenClaw core team (including founder steipete), the code is fully open-source and auditable. They usually come pre-installed with OpenClaw.

1. Email Management: From Passive Checking to Active Processing

Email is a core pain point for professionals. OpenClaw revolutionizes email interaction through two official Skills.

gog (Google Suite Integration)

Core Question: How can AI safely manage my Google Mail and Schedule?

gog is the Swiss Army knife for the Google ecosystem, covering Gmail, Calendar, Drive, and more. The biggest highlight is security—all operations are authorized via Google’s official OAuth 2.0, meaning passwords never pass through third-party servers.

Installation and Configuration:

# macOS (Homebrew Installation)
brew install steipete/tap/gogcli

# Linux (Manual Compilation)
git clone https://github.com/steipete/gogcli.git
cd gogcli && make build
sudo cp bin/gog /usr/local/bin/

# Authentication Configuration (Requires client_secret.json beforehand)
gog auth credentials /path/to/client_secret.json
gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs

Application Scenario:
You can set up an automated workflow: Every day at 9 AM, OpenClaw automatically summarizes unread emails from the past 12 hours, identifies items marked as “Urgent,” and drafts reply suggestions. This not only saves time scrolling through emails but focuses your work energy on “processing” rather than “browsing.”

Note: There is a known bug in the Linux system (Issue #9420); macOS is recommended for the best experience. If deploying on a VPS, OAuth authentication must be completed via SSH port forwarding.

himalaya (General Email Sending/Receiving)

Core Question: If I don’t use Google Mail, how can I manage multiple email accounts uniformly?

For users of ProtonMail, Fastmail, or corporate emails, himalaya is the best alternative. It supports standard IMAP/SMTP protocols and offers strong compatibility.

Installation Commands:

# macOS Installation
brew install himalaya

# Linux Installation (Choose one)
cargo install himalaya
# Or download pre-compiled binary
wget https://github.com/soywod/himalaya/releases/latest/download/himalaya-linux-amd64.tar.gz
tar -xzf himalaya-linux-amd64.tar.gz
sudo mv himalaya /usr/local/bin/

2. Search & Information: Giving AI “Internet” Capability

An AI without internet capability is like a phone without a network cable; it can only rely on the local knowledge base.

brave-search (Web Search)

Core Question: How can an AI assistant obtain real-time internet information?

This is the first Skill to install after deployment. Based on Brave’s independent index, it provides 2,000 free searches per month and does not rely on Google or Bing. It is the cornerstone of AI networking capability.

Configuration Steps:

# Step 1: Apply for API Key (https://brave.com/search/api/)
# Step 2: Configure OpenClaw
openclaw configure --section web

# Or manually edit the config file
cat > ~/.openclaw/openclaw.json << EOF
{
  "tools": {
    "web": {
      "search": {
        "provider": "brave",
        "apiKey": "YOUR_BRAVE_API_KEY",
        "maxResults": 5
      }
    }
  }
}
EOF

Application Scenario:
Combined with information organizing tools, you can have the AI perform “automatic web scraping and structured summarization.” For example, “Search for news about ‘solid-state battery breakthroughs’ in the last week and organize it into a table.”

blogwatcher & goplaces

• blogwatcher: Suitable for content creators. Paired with Cron tasks, it can “push the latest articles in your field at 8 AM daily,” eliminating the need to manually refresh subscription sources.
• goplaces: A local life tool providing restaurant, address, and rating queries. Requires a Google Places API Key.

3. Notes & Knowledge Management: Building a Second Brain

obsidian & notion

Core Question: How should I choose between local and cloud note integration schemes?

• Obsidian: Directly manipulates local Markdown files with high privacy. Suitable for local deployment scenarios. If OpenClaw is deployed on a VPS, a sync solution like Syncthing must be configured.
• Notion: Cloud-native, suitable for VPS deployment, no local file restrictions.

Notion Configuration Flow:

# 1. Visit notion.so/my-integrations to create an integration
# 2. Obtain the Internal Integration Token
# 3. Authorize the integration on the Notion page
# 4. Terminal Configuration
openclaw config set tools.notion.token "YOUR_INTERNAL_INTEGRATION_TOKEN"

Additionally, apple-notes supports only macOS, deeply integrating into the Apple ecosystem for Apple users.

4. Social & Communication: Taking Over Social Accounts

bird (X/Twitter CLI)

Core Question: How to automate Twitter management without paying expensive API fees?

Developed by founder steipete, it authenticates via browser cookies, cleverly bypassing Twitter’s $100/month API cost.

Installation & Testing:

# macOS Homebrew Installation (Recommended)
brew install steipete/tap/bird

# Verification
bird check        # Check auth status
bird whoami       # View current account
bird search "OpenClaw" -n 5  # Search test

Application Scenario:
Set a task to track AI field keywords daily, automatically organizing core news and sending it to your inbox, making it several times more efficient than manual scrolling.

slack/discord enable message sending/receiving and channel management via Bot Tokens, suitable for community managers.

5. Development & Efficiency: A Programmer’s Sharp Tool

github (GitHub CLI Integration)

Core Question: How to manage code repositories efficiently without a browser?

Developed based on the official gh CLI, it supports Issue management, PR merging, and CI queries.

# Install gh CLI
# macOS
brew install gh
# Linux
sudo apt update && sudo apt install gh

# Login & Enable
gh auth login
openclaw config set tools.github.enabled true

clawdhub (Skill Management Tool)

This is the “butler” for managing all Skills, an essential tool.

# Common Commands
npx clawhub@latest install <skill_name>  # Install
npx clawhub@latest search <keyword>      # Search
npx clawhub@latest update --all          # Update
npx clawhub@latest list                 # List

Other useful built-in Skills include whisper (local voice-to-text, privacy-safe), weather (out-of-the-box weather queries), model-usage (API cost tracking), and more.

Tier 2: China Platform Zone Skills (Security Level ⭐⭐⭐⭐)

The domestic Chinese office environment differs vastly from overseas. OpenClaw natively does not support WeChat, DingTalk, etc., requiring community-verified plugins. The following plugins have been included in official documents by Alibaba Cloud and others.

1. Feishu (Lark)

Core Question: How to safely connect a Feishu bot in an enterprise intranet environment?

The Feishu plugin uses WebSocket long connections, requiring no public IP, and offers strong penetration capabilities.

Installation & Configuration:

# Install official plugin
openclaw plugins install @openclaw/feishu

# Configuration parameters
openclaw config set channels.feishu.enabled true
openclaw config set channels.feishu.appId "cli_YOUR_AppID"
openclaw config set channels.feishu.appSecret "YOUR_AppSecret"

# Restart gateway
openclaw gateway restart

Advanced Needs: If you need to operate Bitable (multidimensional tables), cloud documents, etc., you can install the extension pack @m1heng-clawd/feishu.

2. DingTalk

Core Question: How to deploy a DingTalk bot without a public IP?

Adopting Stream mode, it supports WebSocket and is compatible with private and group chats.

Configuration Example:

# Install openclaw-china all-in-one package
git clone [repo_url]
cd openclaw-china
pnpm install && pnpm build
openclaw plugins install -l ./packages/channels

# Configure DingTalk parameters
openclaw config set channels.dingtalk.enabled true
openclaw config set channels.dingtalk.clientId "dingxxxxxx"
openclaw config set channels.dingtalk.clientSecret "YOUR_APP_Secret"

3. WeCom (WeChat Work)

Core Question: How can AI access personal WeChat?

This is the biggest highlight of the WeCom plugin. Through the interconnection plugin between WeCom and personal WeChat, users can interact directly with OpenClaw in their personal WeChat app.

Note: A public accessible Webhook callback is required; Cloudflare Tunnel is recommended to solve this.

Configuration Key Points:

openclaw config set channels.wecom.enabled true
openclaw config set channels.wecom.corpId "YOUR_CORP_ID"
openclaw config set channels.wecom.corpSecret "YOUR_APP_SECRET"
# ... other parameter configurations
openclaw gateway restart

Additionally, the openclaw-china all-in-one integration package supports a four-in-one combination of Feishu, DingTalk, QQ, and WeCom, suitable for multi-platform users.

Tier 3: Community High-Star Verified Skills (Security Level ⭐⭐⭐⭐)

Included in awesome-openclaw-skills (9.2K Stars). Although unofficial, they have been verified on a large scale by the community.

• better-notion: Provides more complete CRUD functions than the official one, suitable for heavy Notion users.
• senior-fullstack: Full-stack development scaffolding, integrating frameworks like Next.js and Django, allowing novices to quickly set up projects.
• react-email-skills: Generate HTML marketing emails using React components, a boon for business professionals.
• resume-builder: Automatically generates multi-format resumes, essential for job seekers.

Installation command is unified as: npx clawhub@latest install <skill_name>.

Tier 4: Popular But Requires Caution Skills (Security Level ⭐⭐⭐)

These Skills are extremely powerful but involve high-permission operations or risks of being impersonated.

1. firecrawl (Web Scraping): Supports JS rendering page scraping. Powerful but extremely high permissions. Recommended to use only in a Docker isolated environment.
2. youtube-full: Supports video transcription and channel search. Beware of impersonating plugins; ensure the publisher is ZeroPointRepo.
3. gamma: AI-generated PPTs. Verify source code integrity before installation to avoid malicious code injection.

Types of Skills to Absolutely Avoid (Security Level ❌)

According to security reports, avoid these types directly:

1. Crypto/DeFi Related: A disaster area for malicious plugins, often disguised as trackers to steal private keys.
2. Name Approximation Impersonation: E.g., openweet impersonating opentweet (Typosquatting attacks).
3. Requesting curl External Scripts: High probability of containing malicious implants.
4. No Source Code Repository: “Black box” plugins that cannot be audited.
5. Encrypted zip Packages: Legitimate plugins do not need to hide content with encryption.

Practical Combination: Creating an All-Round AI Assistant

You don’t need to install hundreds of Skills. The following combination of 6 is enough to cover 90% of daily needs:

Skill Name	Functional Positioning	Practical Value
gog	Email & Calendar	Automatically summarizes unread emails, manages schedules, core for business.
brave-search	Web Search	Provides real-time networking capability, breaking information silos.
obsidian	Note Management	Local knowledge base secure storage, building a second brain.
github	Code Management	Essential for devs, full-flow Issue/PR management.
bird	Social Tracking	Automatically scrapes industry dynamics, an information source filter.
weather	Weather Query	Daily travel aid, simple and practical.

Scenario Example:
At 8 AM, bird captures the latest AI dynamics and saves them to obsidian; gog summarizes emails and syncs to the calendar; before you leave the house, weather reminds you to bring an umbrella. This forms a closed loop of an actively serving AI assistant.

Advanced Skill Usage: Security Hardening Techniques

1. Regular Auditing and Cleaning

Execute updates weekly and audits monthly.

# Update all Skills
npx clawhub@latest update --all

# Uninstall unused plugins
rm -rf ~/.openclaw/skills/<skill_name>
openclaw gateway restart

2. Docker Isolation Operation

For high-risk, high-permission Skills like firecrawl, be sure to use Docker isolation.

# Create isolated container
docker run -d --name openclaw-skill-isolate --network=host -v ~/.openclaw:/root/.openclaw openclaw/clawbase:latest

# Enter container to install
docker exec -it openclaw-skill-isolate bash
npx clawhub@latest install firecrawl

3. Configure Permission Whitelists

Restrict Skill access directories via configuration files to prevent sensitive data leakage.

# Edit ~/.openclaw/openclaw.json
"skills": {
  "permissions": {
    "allowedDirectories": ["/root/.openclaw/skills", "/tmp"],
    "blockedCommands": ["rm", "ssh", "curl"]
  }
}

Author’s Perspective:
The essence of technical security is the “Principle of Least Privilege.” We should not blindly trust any plugin, even if it has high community stars. Restricting directories via whitelists and limiting environments via Docker are the defensive mindsets a mature engineer should have. Remember, security is not a feature; it’s a habit.

Conclusion: Safety First, Let Skills Be an Aid

The OpenClaw Skill ecosystem is its soul; 5700+ skills allow AI to extend infinitely. However, the “arsenal” contains both functional weapons and landmines. By following the three-step method of “Check Reports, Check Repositories, Read Documentation,” prioritizing official built-in and high-star verified plugins, and staying away from crypto and impersonating apps, we can enjoy the convenience while maintaining a security baseline.

I hope this guide helps you master OpenClaw, evolving it from a “passive chat box” to an “active efficiency assistant.”

---

One-Page Summary

1. Core Risk: Nearly 20% of third-party Skills have safety hazards. Strict prevention of API Key theft and reverse shells is required.
2. Selection Principle: Official > Community High-Star > Use with Caution. Prefer open-source plugins with audit reports.
3. Must-Install List: gog (Email), brave-search (Networking), obsidian (Notes), github (Dev).
4. Regional Environment: For Chinese platforms, use the openclaw-china all-in-one package for Feishu, DingTalk, and WeCom.
5. Pitfall Avoidance: Never install Crypto currency types, name-impersonating types, or source-less Skills.
6. Security Hardening: High-permission Skills require Docker isolation, and directory access whitelists should be set in configuration files.

Frequently Asked Questions (FAQ)

Q1: What is the difference between an OpenClaw Skill and a regular browser extension?
A1: The fundamental difference lies in permissions. Skills run at the system’s bottom layer and can directly read/write files, execute terminal commands, and call system APIs. Therefore, a malicious Skill has far more destructive power than a browser extension and could directly control your operating system.

Q2: I am a beginner. Which Skills should I start installing?
A2: It is recommended to start with Tier 1 “Official Built-in Skills.” First, install brave-search to give the AI networking capability, then install gog (Email) or obsidian (Notes) as needed. Official Skills have the highest security and require no complex configuration.

Q3: Why do you recommend against installing Cryptocurrency-related Skills?
A3: According to security audit reports, Cryptocurrency/DeFi categories are the hardest hit areas for malicious plugins. Hackers often disguise themselves as wallet tracking tools to steal private keys or mnemonic phrases. The security risk of such plugins is extremely high; complete avoidance is recommended.

Q4: How do I safely use OAuth authentication when deploying OpenClaw on a VPS?
A4: For Skills like gog that require browser authentication, headless VPS environments can be challenging. It is recommended to use SSH port forwarding to forward the VPS’s authentication request to your local browser to complete the auth flow.

Q5: How can I judge if a community Skill is safe?
A5: Follow the “Three-Step Method”: First, check if there is a public GitHub repository with active code; second, check VirusTotal scan results; third, check if the documentation is clear. If a Skill asks for sensitive passwords or executes suspicious scripts, stop the installation immediately.

Q6: What should I do if installing a Skill causes OpenClaw to crash?
A6: First, try uninstalling the most recently installed Skill (delete the corresponding folder in the ~/.openclaw/skills/ directory). If a high-permission Skill caused system file damage, it is recommended to restore the environment in a Docker container. Always make a habit of backing up important data.

Q7: Can OpenClaw access personal WeChat?
A7: There is no official plugin directly supporting personal WeChat yet. The current compromise solution is through the “WeCom” Skill, utilizing the interoperability feature between WeCom and personal WeChat to indirectly achieve interaction with personal WeChat.

Q8: What does npx clawhub@latest mean in the Skill installation command?
A8: This indicates using npx to temporarily download and run the latest version of the clawhub package to execute the installation command. This method does not require global installation of clawhub, ensuring the latest version is used every time, reducing dependency conflicts.