Analysis
Think of it like the early days of app stores, except the apps can read your files, run commands, and talk to the internet on your behalf. That is roughly what an agent skill is: a small package that gives an AI agent a new ability. The question every business now faces is simple. Where do you get those skills, and how much do you trust them?
In early 2026 that question stopped being academic. A security firm called Koi Security pulled apart a chunk of ClawHub's catalogue and found hundreds of skills quietly carrying malware. Around the same time, a separate flaw in the OpenClaw platform itself made headlines. Suddenly "just install it from the marketplace" sounded a lot less casual.
So the industry is splitting into two camps. The open camp says publish first, sort it out later, and let scale do the work. The curated camp says check everything before it ships, even if that means fewer skills and slower releases. Most Australian teams will end up touching both, which is why the contrast is worth understanding before you wire either one into your stack.
One note on framing up front. The two sides are not a clean apples-to-apples match. ClawHub is a marketplace you can browse and install from. The agentskills.io label, by contrast, is closer to an open specification (the SKILL.md format, released as an open standard in December 2025) than a single gated store. Platforms like Hermes follow that spec rather than being it. Keep that distinction in mind as the comparison below leans on it.
ClawHub.ai: The Open Marketplace
ClawHub is the biggest open skill marketplace for OpenClaw agents. The article's source put the catalogue at 12,847 published skills as of June 2026, though independent reporting puts the real figure in flux: somewhere north of 13,700 earlier in the year, then sharply lower after a security purge. Treat any single count as a snapshot, not gospel.
The model will feel familiar if you have ever used npm or PyPI. Anyone can publish, you find skills through search and rankings, and the community sorts the wheat from the chaff itself. Publishing needs little more than a GitHub account that is a week old.
Strengths
- Scale: a catalogue in the tens of thousands covers a huge spread of use cases
- Velocity: new skills land daily, so the ecosystem keeps moving
- Discovery: search, categories, and trending lists make it easy to find what you need
- Zero friction: run
openclaw skills install <name>and you are away
Weaknesses
- Security: a Koi Security audit found 341 malicious skills. A related platform flaw, CVE-2026-25253, also surfaced around the same time (more on the attack vector below).
- Quality variance: with no quality gate, reliability is all over the map
- Maintenance: abandoned skills pile up and nobody manages their lifecycle
- Trust: you cannot really know what a skill does without reading its source
Post-CVE Changes
This is where the original write-up gets ahead of the facts, so read it with care. ClawHub reportedly tightened things up after the incident, but the specific list of changes does not all check out against the public record.
What the sources actually support is narrower: ClawHub's confirmed response, working with VirusTotal from early February 2026, was upload-time SHA-256 scanning, daily re-scanning, and behavioural analysis. A publisher verification scheme arrived in March 2026, with reportedly low adoption.
The original article also claimed mandatory sandboxing, cryptographic publisher signing, dynamic analysis on upload, and a paid bug bounty programme. Those are not corroborated. Sandboxing and dynamic analysis show up in security researchers' recommendations rather than as shipped features, the verification scheme is not the same thing as mandatory signing, and there is no evidence OpenClaw runs a paid bug bounty. Treat that bundle as unconfirmed.
The same goes for the claim that publication time jumped from minutes to hours. No source backs it, and since the real fix was automated scanning rather than manual review, it does not square with how the system actually works. Some community members did reportedly grumble about the open marketplace getting "corporatised," but the friction story is softer than the original made out.
agentskills.io: The Curated Registry
Here the original framing needs the biggest correction. It described agentskills.io as "the Hermes skill platform," a curated registry run by Nous Research that reviews every skill before publication. That is not accurate.
agentskills.io is an open standard, the SKILL.md spec, originally created by Anthropic and released openly in December 2025. Hermes skills conform to that standard; they are not the same thing as it. And Hermes itself does not manually review every skill before publishing. It runs an automated security scanner that looks for data exfiltration, prompt injection, and malicious payloads. Its Skills Hub also aggregates skills across several tiers, where the Community tier is the largest, which is the opposite of a fully gated model.
So read the "curated" pitch below as the direction of travel for the controlled-trust camp, not a literal description of one company's gate.
Strengths
- Quality: vetted skills tend to be more reliable on average
- Security: automated scanning catches malicious or vulnerable code before it ships
- Compatibility: skills are tested against the runtime they target
- Trust: you can install with more confidence
Weaknesses
- Scale: far fewer skills than ClawHub
- Velocity: any review step slows publication
- Gatekeeping: some builders feel shut out by quality bars
- Centralisation: a single platform controlling the gate makes some users wary
The Hermes Approach
A caveat on the code below. The original article showed a Python install API, and the fact-check could not verify it. The real Hermes interface is CLI-based, along the lines of hermes skills install openai/skills/k8s. The snippet here, including the verified_by, tested_with, and security_audit metadata fields, is illustrative and reportedly does not match the shipping interface, so do not copy it expecting it to run.
# Install a skill from agentskills.io
hermes.skills.install("database-migration", version="^2.1.0")
# Skills include metadata
skill = hermes.skills.get("database-migration")
print(skill.verified_by) # Reviewer identity
print(skill.tested_with) # Compatible Hermes versions
print(skill.security_audit) # Audit date and resultComparison
A few cells in this table carry the same caveats as the prose above. The skill counts are moving targets, the sentiment percentages have no traceable source (treat them as unconfirmed), and the install commands reflect the original article's framing rather than verified syntax for both platforms.
| Dimension | ClawHub.ai | agentskills.io |
|---|---|---|
| Philosophy | Open marketplace | Curated registry |
| Skill count | 12,847 | Hundreds |
| Security model | Review-on-report | Review-before-publish |
| Publisher friction | Low | Medium |
| User trust | Lower (post-CVE) | Higher |
| Community sentiment | 35% primary use | 30% primary use |
| Malicious skills found | 341 | 0 (known) |
| Typical install | openclaw skills install X | hermes.skills.install("X") |
A word on that CVE. CVE-2026-25253 is real: a critical remote-code-execution flaw disclosed on 3 February 2026, patched in version 2026.2.12. But it was a platform vulnerability in the Control UI, which trusted a gatewayUrl query parameter without checking it, exploited through a malicious web page. Calling it a flaw "triggered by a malicious skill," as the original did, slightly misstates how the attack worked.
The Future: Hybrid Models
The open-versus-curated argument is old news. npm, PyPI, and crates.io all started open and bolted on security and verification later. The author's bet, and it is a bet rather than a settled fact, is that agent skills land on a tiered middle ground:
- Unverified tier: anyone can publish, everything runs in a heavy sandbox
- Community verified: skills that clear endorsement and usage thresholds
- Officially verified: skills audited by the platform team and fully trusted
The appeal is choice. You take speed and breadth in the unverified tier, balance in the community tier, and safety in the official one. There is some real support for the direction: Hermes already runs tiered trust levels (built-in, official, trusted, and community). ClawHub's post-incident scanning and verification push points the same way. The fully fleshed-out three-tier model, though, is a forecast, not something any platform has shipped end to end.
Building Skills: Best Practices
Whether you publish to ClawHub, to a Hermes-style registry, or anywhere else:
- Document thoroughly: include examples, constraints, and failure modes
- Test comprehensively: unit tests, integration tests, and edge cases
- Version carefully: use semantic versioning and spell out breaking changes
- Secure obsessively: no eval, no shell execution, no undocumented network calls
- Handle errors gracefully: fail with a clear message, not a cryptic stack trace
- Respect constraints: accept and enforce whatever limits the user sets
- Minimise dependencies: every dependency is another link in your supply chain
Here is the part worth sitting with. Models are converging, and the gap between the top systems keeps narrowing. Skills are doing the opposite: multiplying, specialising, and turning into the real point of difference. The platform that ends up with the skills people actually trust, broad enough to be useful and safe enough to install without a second thought, is the one that wins the users. The Koi Security audit was a reminder of what happens when trust is an afterthought.