OpenClaw Skill Workshop: A Power User's Guide to Building Safer AgentSkills in 2026.6.1

If you run OpenClaw, you have probably watched your agent get better at the same repetitive jobs — the invoice follow-up, the release checklist, the repo health pass. The mechanism behind that is skills: small markdown procedures that teach the agent how and when to do something. In OpenClaw 2026.6.1, the way you create and manage them got a real upgrade — the Skill Workshop, a full proposal-and-review lifecycle backed by a Control UI dashboard. The follow-up beta, 2026.6.2-beta.1, hardened how plugins and skills get installed in the first place. This is a hands-on walkthrough of both, plus a Stay Safe section on the skills supply chain.

A skill is a directory with a SKILL.md file — YAML frontmatter on top (it names the skill and describes when to use it), markdown procedure below; OpenClaw follows the open AgentSkills spec, so the format is portable. The catch is that a skill is durable. A bad answer from your agent is a one-off you can ignore; a bad skill becomes part of how every future task gets done. That is exactly the problem the Skill Workshop was built to solve.

What the Skill Workshop adds in 2026.6.1

Instead of letting the agent write directly to your SKILL.md files, the Workshop puts a proposal queue between the agent and your active skills. When the agent notices reusable work, it drafts a proposal using the new skill_workshop tool rather than editing a skill file in place. Nothing changes until you approve it.

The 2026.6.1 release notes (June 3, 2026) list the Workshop additions explicitly:

• Control UI navigation and a styled dashboard — proposals get a real home, not a buried file tree.
• Proposal (board) view and Today view — the board is a searchable, filterable list organized by status; the Today view is a single-proposal screen with "use it / tweak it / skip" actions for fast review.
• Revision dialog — request changes and have the agent revise a proposal in place before you approve it.
• File preview modal and searchable preview files — inspect the support files (scripts, templates, examples, references, assets) before they touch your workspace.
• Reusable session handoff and localized strings — review work carries across sessions, and the UI ships translated.

Under the hood, proposals carry versioned, dated frontmatter and pass through a guarded review flow before they are applied, rejected, or left to go stale — with rollback metadata, so an applied skill is not a one-way door.

A concrete workflow: building a custom AgentSkill

Here is the loop I use to turn a repeated task into a durable skill.

1. Let the agent draft it. Do the task once, conversationally, the way you want it done. When it is something you will repeat, ask the agent to capture it as a skill. It drafts a proposal through the Workshop — it does not write to SKILL.md directly.

2. Review the proposal. Open the Control UI and find the pending proposal on the board, or list them from the CLI:

openclaw skills workshop list
openclaw skills workshop inspect <proposal-id>

inspect shows the proposed SKILL.md and its support files. Read the body like a pull request: is the trigger description tight enough that the agent won't fire it at the wrong time, and do the scripts do only what the description claims?

3. Iterate. If something is off, use the revision dialog in the Control UI to send it back with notes. The agent revises in place and the version history is preserved.

4. Apply it.

openclaw skills workshop apply <proposal-id>

The skill is now live. Because the frontmatter is versioned and rollback metadata is retained, you can back it out if it misbehaves. That review step is the whole point: you are not trusting the agent's first draft of a permanent procedure — every new skill has to earn its way in.

Safer installs in 2026.6.2-beta.1

The 2026.6.2 line moves plugin and skill installation onto an operator install policy instead of the old "dangerous-code scanner" path, with clearer doctor, CLI, ClawHub, and troubleshooting surfaces across package, archive, source, upload, and marketplace installs. Config recovery got stricter too — it now rejects corrupt shell snapshots, unsupported policy keys, unsafe exec-approval environments, and suspicious gateway startup config rather than limping along. In practice, your install behavior is governed by a policy you control (security.installPolicy), and a broken or tampered config fails loudly instead of silently.

Stay safe: the ClawHub supply chain is the real threat

Skills are the best part of OpenClaw and the most dangerous. An installed skill frequently inherits the full permissions of the host agent — so if your agent can read ~/.ssh or environment variables holding API keys, a malicious skill does not need to escalate anything. It already has what it wants.

This is not theoretical. Snyk's ToxicSkills audit scanned 3,984 skills across ClawHub and the wider ecosystem and found that about 36% (1,467) carry at least one security flaw — including 76 confirmed malicious payloads built for credential theft, backdoors, and data exfiltration. Separate tracking has counted at least 230 malicious skills uploaded to ClawHub since late January 2026 — credential stealers, backdoors, and skills whose innocent-looking SKILL.md lures you into installing a fake prerequisite that turns out to be macOS stealer malware.

OpenClaw's answer is registry-side. Every ClawHub skill now ships with a Skill Card recording who published it, what it can do, what the scanners found, and where it came from. At publish time a skill runs through three independent scanners — OpenClaw's static analysis, VirusTotal, and NVIDIA SkillSpector (which adds AI-assisted semantic analysis to catch hidden instructions, overbroad capabilities, and purpose-vs-behavior mismatches). An evaluation step, ClawScan, weighs all three plus provenance and emits a verdict: Clean, Suspicious, or Malicious. One nuance: SkillSpector findings are advisory — they inform the verdict, they do not automatically block a skill. The judgment is still partly yours.

So before you install anything from ClawHub:

1. Read the Skill Card — publisher, declared capabilities, ClawScan verdict, provenance. A "Suspicious" verdict is a stop sign, not a speed bump. Pull it inline with openclaw skills verify <slug> --card.
2. Treat third-party skills as untrusted code. Read the SKILL.md yourself; hidden or out-of-place instructions in the body are how indirect prompt injection rides in.
3. Run least privilege. Don't give an agent file-system or secret access it doesn't need. The lower the agent's privilege, the smaller the prize for a poisoned skill — and let the 2026.6.2-beta.1 install policy enforce a trust bar before anything lands.

For a deeper dive on credential exposure and supply-chain hygiene, see our Vibe Coder Security series, which covers the same threat class from the non-OpenClaw side.

Frequently asked questions

Do I have to use the Control UI, or can I drive the Workshop from the command line?
Both. The Control UI gives you the board view, Today view, revision dialog, and file preview modal. The CLI covers the core lifecycle with openclaw skills workshop list, openclaw skills workshop inspect <proposal-id>, and openclaw skills workshop apply <proposal-id>. Revising and rejecting proposals are review actions you take in the UI.

Is SkillSpector something I run on my own machine?
No. SkillSpector is NVIDIA's scanner, and it runs registry-side when a skill is published to ClawHub — alongside OpenClaw's static analysis and VirusTotal. Their combined output feeds ClawScan, which produces the Skill Card and a Clean/Suspicious/Malicious verdict. Your job is to read that card and verdict before you install, not to run the scanner yourself.

How risky is installing skills from ClawHub?
Risky enough to take seriously. Installed skills typically inherit the agent's full permissions, and researchers found prompt injection and hundreds of outright malicious skills in the ecosystem in 2026. The Skill Card and ClawScan verdict are your first filter, but still read the SKILL.md, run least privilege, and treat every third-party skill as untrusted code.

Can I undo a skill after I apply it?
Yes. Applied proposals retain versioned, dated frontmatter and rollback metadata, so an applied skill is not a one-way door — you can back it out if it starts behaving badly in real use.