5 ClawHub Alternatives for Safer Agent Skills (2026)
Looking for a ClawHub alternative after the ClawHavoc malware campaign? Compare 5 safer skill registries on vetting, provenance, and team controls.
ClawHub grew fast as the community skill registry for OpenClaw, and for a while it was the easiest place to grab OpenClaw skills for a personal agent. Then the malicious-skill campaigns hit, "clawhub malware" became a search term, and a lot of people started looking for a ClawHub alternative that does not treat security as an afterthought.
The short answer: localskills.sh is the strongest ClawHub alternative if you want provenance, frozen versions, private distribution, and a review gate in front of what your agents install. Anthropic's official skills repo is the safest zero-infrastructure source for Claude-style skills. skills.sh is a better-known public directory for discovery. A private GitHub repo gives you total control at the cost of manual installs, and a self-hosted Claude Code plugin marketplace works if your team is all-in on one tool. The rest of this post explains what went wrong on ClawHub, what "safer" concretely means, and how the five options compare.
What happened on ClawHub: malware, ClawHavoc, and unvetted uploads
ClawHub is the skill registry for OpenClaw, the open-source personal agent that runs on your own machine — often with access to your messaging apps, email, and shell. Skills are markdown instruction files, frequently bundled with scripts, and the registry let anyone publish instantly with no review step.
That combination is what the ClawHavoc campaign exploited. In early 2026, security researchers found waves of malicious skills on ClawHub — hundreds of uploads across successive batches — many posing as crypto-trading helpers, market dashboards, or productivity tools. The skills themselves read innocently enough; the payload was in what they told the agent to do, typically some variant of "install this dependency first," pointing at a script that delivered infostealer malware. Because an OpenClaw agent executes instructions with the user's own permissions, the agent became the installer.
ClawHub removed flagged skills and added scanning after the fact, but takedowns treat the symptom. The structural problems are the interesting part, because they are the checklist for evaluating any replacement:
- No review gate. Anything uploaded was immediately installable by everyone.
- Thin provenance. A fresh account could publish a skill indistinguishable, at install time, from an established author's.
- No meaningful versioning. A skill you vetted last week could quietly become a different skill today.
- Maximum blast radius. Skills ran inside an agent that already had broad access to the machine, so one bad install compromised everything the agent could touch.
None of this is unique to ClawHub — it is the default failure mode of any open skill directory. Which is why the fix is structural, not "pick a registry with better moderators."
What a safer ClawHub alternative actually looks like
Skill registry security is not a scanner badge on the homepage. Scanning helps, but ClawHavoc-style skills are plain markdown telling an agent to fetch a URL — there is often no binary to scan until the damage is underway. The properties that actually reduce risk:
- Provenance you can trace. A publisher identity attached to every skill, ideally an organization you already trust, so "who wrote this?" has an answer before install.
- A human review step. Somewhere between "author wrote it" and "it runs on every developer's machine," a person you trust reads the skill. Pull-request review is the proven shape for this.
- Frozen, versioned artifacts. Publishing should snapshot the skill. What you reviewed is what you install, and when an update misbehaves you roll back instead of forensically diffing a repo.
- Visibility controls. Internal skills should be publishable as private or unlisted — the skills that encode your infrastructure details are exactly the ones that should never sit in a public directory.
- Scoped agent access. If agents install skills autonomously (over MCP, for instance), that access should be authenticated and scope-limited, not an open write path.
- An audit trail. When something does go wrong, you want to know who installed what, and when.
If you are still building a mental model of how skill registries and marketplaces differ, the Claude skills marketplace guide covers the landscape; the criteria above are the security cut of it.
The 5 best ClawHub alternatives, compared
| Alternative | Model | Review gate | Provenance | Private skills | Versioning + rollback | Multi-tool install |
|---|---|---|---|---|---|---|
| localskills.sh | Versioned registry | Yes — org roles + GitHub-sync PRs | Org/publisher namespaces | Yes (private, unlisted) | Yes | Yes — CLI writes each tool's format |
| Anthropic official skills repo | Curated GitHub repo | Upstream maintainers | Anthropic | No | Git history only | Manual copy |
| skills.sh | Public directory | No | Author accounts | No | No | Directory-dependent |
| Private GitHub repo | DIY registry | Yes — your PRs | Your org | Yes | Git history only | Manual copy per tool |
| Self-hosted Claude plugin marketplace | Tool-specific marketplace | Yes — you control the repo | Your org | Yes | Repo-level | Claude Code only |
1. localskills.sh — a registry built around the review gate
localskills.sh is a full registry for agent skills and rules rather than an open directory. Measured against the criteria above:
- Provenance and structure. Skills live under organization namespaces with folders, teams, member roles and custom roles, and folder-level access restrictions — so a platform team can curate exactly which skills the rest of the org sees and publishes.
- Review via pull requests. GitHub sync mirrors an org's skill library to a repo bidirectionally; edits made in the repo import back as new skill versions, which means skill changes can flow through the same PR review you already trust for code.
- Frozen versions with rollback. Every skill is a package with a root
SKILL.md— optionally a multi-file folder with docs, scripts, and templates up to 100 MB and 500 files per version — and every publish is a version you can roll back. - Visibility controls. Public, private, or unlisted per skill, with download analytics built in so you can see what is actually being installed.
- Scoped agent access. The MCP server lets agents search and install skills over MCP with OAuth and scoped access instead of an unauthenticated free-for-all.
- One skill, every tool. The CLI installs a published skill into Claude Code, Cursor, Windsurf, GitHub Copilot, Cline, Codex CLI, Aider, and more — writing
.claude/skills/for Claude Code,.cursor/rules(.mdc) for Cursor,.windsurf/rules/for Windsurf, and so on, from one source of truth. - Enterprise plumbing where the audit question matters: SAML SSO (with setup templates for Okta, Cloudflare Access, and Authentik), SCIM directory sync, audit logs, and verified-domain auto-join.
Honest limits: it is a registry, so there is a publish step. If you are a solo user who only ever installs two community skills, that ceremony buys you less than it buys a team.
2. Anthropic's official skills repo — curated, zero infrastructure
Anthropic maintains an official skills repository, and it is the lowest-risk public source of Claude-style skills: maintainer-reviewed content from a known publisher, fully readable before you copy anything into .claude/skills/. The trade-offs are the flip side of the curation — a small catalog, no private skills, no install tooling, and no versioning beyond git history. Treat it as a trusted source, not a distribution system.
3. skills.sh — the discovery directory
skills.sh is the best-known public directory for agent skills, with a leaderboard that gives you a real signal about what the community uses. As a ClawHub alternative it is a lateral move on security — it is still an open directory, so the same audit burden applies to every install — but the ecosystem around it is larger and the content skews toward coding agents rather than personal automation. If you are evaluating it seriously, we wrote up how skills.sh compares to registries and other directories separately.
4. A private GitHub repo — the DIY registry
A repo of vetted skills, PR-reviewed by your own team, is a legitimate answer: full control, real review, zero new vendors. The costs show up in operations. Installs are manual copies, translating one skill into each tool's native format (.cursor/rules, .claude/skills/, .windsurf/rules/, Copilot instructions) is your job forever, there is no rollback beyond git archaeology, and you get no signal about who installed what. Fine at five engineers; painful at fifty.
5. A self-hosted Claude Code plugin marketplace — single-tool, full control
If your team is entirely on Claude Code, you can host your own plugin marketplace from a repo you control and get a review gate for free, since you own what lands in it. We cover the setup in the private Claude plugin marketplace guide. The constraint is in the name: it distributes to Claude Code only, so the day someone on the team opens Cursor or Windsurf, you are back to maintaining parallel copies.
Migrating your installed skills without carrying risk over
Switching registries while keeping your existing installs defeats the purpose — if any of them came from an unvetted source, the risk migrates with you. Do it in order:
-
Inventory what is installed. Check every location your tools read:
~/.claude/skills/and.claude/skills/,.cursor/rules/,.windsurf/rules/, and any OpenClaw skills directory if you ran it. -
Audit before you keep. For each skill, read the
SKILL.mdand every script it references. Anything that fetches remote URLs, pipes to a shell, or carries encoded blobs gets rebuilt from scratch or dropped — the skill security audit checklist is the full procedure. -
Republish the survivors to the new home. With a registry this is one command per skill, run from the skill's folder:
npm install -g @localskills/cli
localskills login
localskills publish
- Reinstall from the registry, not from the old copies. Delete the old files and reinstall so every skill on disk traces back to a reviewed, versioned source — one install can write every tool's format at once:
localskills install your-org/deploy-checklist --target claude cursor windsurf
- Close the old tap. Remove the old registry's CLI or config so a stale habit (or an agent following stale instructions) cannot reinstall from it.
How to audit whatever registry you end up using
No registry choice removes the need to read what you install. A repeatable pre-install pass:
- Read the whole package, not just the description. The description is marketing; the
SKILL.mdbody and bundled scripts are what the agent acts on. - Flag network-plus-execution. The ClawHavoc pattern was "download this, then run it." Any skill that both fetches remote content and executes it deserves hostile scrutiny.
- Distrust obfuscation categorically. Base64 blobs, packed one-liners, or instructions telling the agent to skip confirmation prompts have no legitimate place in a skill.
- Check the publisher and the version history. A named org with a stable history beats a week-old account. Prefer registries where versions are frozen, so a good skill cannot silently become a bad one.
- Re-audit on update. A version bump is a new trust decision. Rollback support turns a bad update into an inconvenience instead of an incident.
FAQ
Is ClawHub safe to use now?
Safer than during the ClawHavoc campaign — flagged skills were removed and scanning was added — but the model is still open publishing into high-privilege agents, and markdown-borne instructions are hard to scan reliably. If you keep using it, audit every skill by hand before install.
Do OpenClaw skills work with Claude Code or Cursor?
The formats are close cousins — both center on a SKILL.md-style instruction file — but each tool reads its own directory and format. Republishing a vetted skill to a registry that writes tool-native output (the localskills CLI targets Claude Code, Cursor, Windsurf, Copilot, Cline, Codex CLI, and Aider) beats hand-porting it per tool.
What made the ClawHavoc campaign effective?
Three things compounding: no review between upload and install, payloads hidden in instructions rather than binaries (so scanners had little to grab), and agents that execute what skills say with the user's full permissions. Any alternative you pick should break at least the first link in that chain.
Do I need a paid registry to be safe?
No — a private GitHub repo with mandatory PR review satisfies the core security criteria. A registry adds the operational layer on top: frozen versions with rollback, per-tool install output, private visibility, scoped MCP access for agents, and audit logs.
Ready to give your team a skill registry with provenance, versioning, and a real review gate? Sign up for localskills.sh and publish your first vetted skill in minutes.
npm install -g @localskills/cli
localskills login