What Skills Are

Out of the box, OpenClaw can do the basics: receive messages, send messages, and call the AI model. But the real power comes from skills — modular extensions that give the agent new capabilities.

A skill is technically a folder that contains:

  • Instructions — a description of what the skill does and how the agent should use it
  • Tool definitions — the specific actions the skill enables (API calls, file operations, database queries)
  • Configuration — settings like API keys, permissions, and default behaviors
  • Code — the actual scripts or functions that execute the skill's actions

When you install a skill, you're giving your agent a new set of tools it can use to complete tasks. The agent reads the skill's instructions, understands what it can do, and uses the tools when appropriate — the same way you might install an app on your phone to add a new capability.

The ClawHub Marketplace

ClawHub is the primary marketplace for OpenClaw skills. It hosts thousands of community-contributed skills across categories like productivity, communication, research, development, and business tools. Installing a skill from ClawHub is straightforward — you select the skill, review its permissions, and install it with a single command.

However, ClawHub is an open marketplace, which means quality and safety vary dramatically. Some skills are well-maintained and trustworthy. Others are abandoned, poorly coded, or outright malicious. This is why skill vetting is one of the most important parts of a professional OpenClaw setup.

Essential Business Skills

Based on our experience configuring OpenClaw for dozens of Canadian businesses, these are the six skills that deliver the most value:

1. Web Search

Gives your agent the ability to search the internet, read web pages, and extract information. Essential for competitive research, market monitoring, lead research, and answering questions that require current information. Without this skill, your agent can only work with information it already has.

2. Gmail / Email Integration

Connects your agent to your email inbox with full read/write capabilities. Enables inbox triage, draft responses, email summarization, and organized filing. This is the foundation of most email management workflows.

3. Calendar Integration

Connects to Google Calendar or Outlook Calendar. Your agent can check availability, create events, send invitations, and manage scheduling conflicts. Powers the scheduling automation that eliminates back-and-forth booking.

4. Notion / Document Integration

Connects to your knowledge base or document system. The agent can read, create, and update pages in Notion, Google Docs, or your local file system. Essential for consultants who need the agent to reference project documentation, SOPs, or client notes.

5. CRM Connectors

Integrates with your CRM (HubSpot, Salesforce, Pipedrive, or others). Your agent can look up contacts, update deal stages, log interactions, and pull pipeline data. Especially valuable for small businesses that need the agent to participate in lead management.

6. Memory / Knowledge Management

Gives your agent persistent memory about your business, preferences, clients, and past interactions. Without this skill, each conversation starts from scratch. With it, the agent remembers that you prefer morning meetings, that Client X always needs extra follow-up, and that your accountant's name is Sarah.

Security Concerns: The 1,000+ Malicious Skills Problem

This is the part most articles about OpenClaw skills skip, but it's critical. Security researchers have identified over 1,000 malicious or compromised skills on ClawHub and third-party sources. The risks include:

  • Data exfiltration — skills that send your emails, files, or conversation history to external servers
  • Prompt injection — skills that modify your agent's behavior to act against your interests
  • Credential theft — skills that capture and transmit your API keys, passwords, or tokens
  • Unauthorized access — skills that create backdoors for external access to your agent

For a detailed breakdown of these risks and how to prevent them, see our security risks guide.

Our Vetting Process

During professional setup, we vet every skill before installation. Our process includes:

  1. Source code review — reading every line of the skill's code
  2. Permission audit — verifying the skill only requests access it genuinely needs
  3. Author verification — checking the developer's identity and track record
  4. Network analysis — monitoring what external connections the skill makes
  5. Sandbox testing — running the skill in an isolated environment before production deployment

Custom Skills

When no existing skill fits your needs, custom skills bridge the gap. Common custom skill examples:

  • Connecting to an industry-specific CRM or database
  • Querying your internal inventory or pricing system
  • Integrating with your specific project management workflow
  • Automating a proprietary process unique to your business

Custom skill development is included in our Business Setup tier. We build the skill to your specifications, test it thoroughly, and document it for your team. For details on what's included, visit our services page or check the security overview for how we protect your custom integrations.