Skill Registries, Sharing, And Trust

Why a registry exists

Once you have a few skills, you want them in more than one project. Once your team has a few skills, they want everyone using the same ones. A registry is the index that makes that distribution possible — a known location where skills are published, versioned, and pulled from. OpenClaw supports public registries (community-shared) and private registries (your team's internal index).

The two registry shapes

Signing and provenance

A signed skill carries a cryptographic signature from its publisher. When the soul installs the skill, it verifies the signature against a known public key. If the signature is missing or fails to verify, OpenClaw refuses to install — or installs with a loud warning, depending on configuration. Signing does not make a skill safe; it makes the publisher accountable for what they shipped.

• Required for the official registry — skills published there must be signed by Anthropic-style verified publishers
• Optional but encouraged for private registries — sign with a team key so anyone installing knows it came from your team
• Skipped for vendored copies — once frozen in your repo, the signature is moot; you trust your own repo
• Validated at install — runtime re-validation is configurable for tighter shops

Permission scopes are the real defense

Every skill declares the tools and permissions it will use in its manifest. OpenClaw enforces those declarations at runtime — a skill cannot exceed its declared scope. The right defense in depth is to scope skills as narrowly as they can run: a release-notes skill needs `git log` and `git diff`, not full bash; a deploy skill needs your deploy command, not arbitrary network access.

# A well-scoped skill manifest snippet permissions: bash: - "git log:*" - "git diff:*" - "git tag --list" edit: - "CHANGELOG.md" - "docs/release-notes/*.md" network: false filesystem: read: ["."] write: ["docs/release-notes", "CHANGELOG.md"]A scoped permissions block. Allow only the verbs and paths the skill genuinely needs. Deny network unless the skill calls an API.

Security review checklist

1. Read the SKILL.md fully — does the procedure match what the description claims?
2. Check the permissions block — is anything wider than the workflow needs (full bash, write to home, network: true)?
3. Inspect every helper script in the skill folder — bash and python helpers are real code, audit them like dependencies
4. Search for exfiltration patterns — calls to unfamiliar URLs, base64 strings, environment variable reads of API keys
5. Check the publisher — is the signature from someone you recognize? Have they shipped other skills with a track record?
6. Pin the version — never auto-update third-party skills; review each upgrade before adopting
7. Test in a sandbox first — run the skill in a throwaway workspace and watch the trace before promoting it

Apply: harden one skill today

1. Pick the most-used third-party skill on your machine
2. Open its SKILL.md and read every line — does the procedure match the description?
3. Inspect the permissions block — would you be comfortable if every line ran right now?
4. Read every helper script in the folder — actually read them, not skim
5. Tighten the permissions in your local copy if anything is wider than necessary
6. Decide: keep, vendor at this version, or remove

The big idea: signing tells you who shipped a skill, scoping tells you what it can do, and only your audit tells you whether to trust it. Treat third-party skills like dependencies — pinned, scoped, reviewed.