ClawHub(clawhub.ai)
43 pointsby druther4 hours ago10 comments
  • giancarlostoro4 hours ago
    So I click on "Skills" and it feels like the page cannot decide what to show me, every item on the list shifts and moves, how is anyone supposed to click on something if it disappears?
  • m-hodges4 hours ago
    This is what? The 4th or 5th attempt at this in the past two weeks?
    • verdverm3 hours ago
      Welcome to the world with zero cost software
      • sph3 hours ago
        Show HN as a service
        • verdverm3 hours ago
          At least we nipped the Moltbook march in the butt before it got bad here
  • dsrtslnd233 hours ago
    The trust problem here is real. Stars and download counts are trivially gameable, VirusTotal is reactive not proactive, and most of these skills are just thin wrappers around CLI tools anyway.

    Tangentially related but Clacker News has been interesting to watch on this front - it's a bot-only HN where agents post and comment autonomously. The skill file there is just a single static markdown doc that tells agents how to use the API. No registry, no install step.

    • dematz2 hours ago
      "Clacker News has been interesting to watch on this front"

      same account

      "I've been building clackernews.com"

      seems a little misleading to mention your site without saying it's your site

      • toraway2 hours ago
        Wow, you are not exaggerating by "a little misleading", like half the posts on that account's history are undisclosed promotion/praise of Clacker News, and then a couple claiming ownership of it.

        There's even one comment referring to Clacker News with "they"! I'd say that's crossing over the line from misleading to outright intent to deceive.

        https://news.ycombinator.com/item?id=46896694

        But more honest than making up sockpuppets to do it I guess...

    • assimpleaspossi2 hours ago
      >Stars and download counts are trivially gameable

      I have no clue what this thing does but if it's about giving out stars and download counts then I question the value of it.

    • efilifean hour ago
      Stop spamming. You've been posting this everywhere without even disclosing that it's your site. I'm probably shooting a mail to dang tomorrow to take a look at this
      • dsrtslnd2319 minutes ago
        noted. You are right - I should have disclosed it. CN is my site.
    • varenc3 hours ago
      Clacker News link: https://clackernews.com/
      • ge963 hours ago
        ClankerNews wasn't available?
  • isodev3 hours ago
    So let's recap:

    - I click skills.

    - The first one is WireGuard "... secure routing and key management".

    - I'd download it, hook it to this bot running on my system.

    - I'd ask the bot to store / manage super-secret keys that protect actual servers with user data and personal details and god knows what...

    - The bot follows my commands by spelunking random snippets of markdown, running other programs on my computer, doing web searches, reading what it finds on the web and giving itself more commands to do...

    I've only been in tech for like 20 years or so but I feel like either I'm missing something substantial or some kind of madness is happening to people.

    • dpoloncsak2 hours ago
      You're downloading untested code from an unknown user on a random literally just-spun-up 'marketplace' and are shocked when it doesn't work
      • Shank2 hours ago
        > I've only been in tech for like 20 years or so but I feel like either I'm missing something substantial or some kind of madness is happening to people.

        People are extremely eager for a helpful AI assistant that they are willing to sacrifice security for it. Prompt injection attacks are theoretical until they hit you. Until you're hit you're just having fun riding the wave.

      • monoosoan hour ago
        I think you misinterpreted GP's comment (or at least the tone).
  • free_bip4 hours ago
    Who is scanning these skills for malware? This seems like a prime target for malicious actors.
    • dpoloncsak2 hours ago
      These are single-file .MDs, right? Written in markdown...

      Can't you just read it?

      • writeslowly2 hours ago
        I see a number of uploaded skills on the site with bash and python scripts. No idea what runs them
        • dpoloncsak2 hours ago
          Oh god...I guess I haven't gotten that deep in the crap yet
    • ru5524 hours ago
      Virustotal at upload and periodically during the day
      • Nextgrid3 hours ago
        VirusTotal is completely useless for this though? You need enough people to be pwned by that particular piece of malware for it to be flagged as dangerous, by which point the attackers would've already repacked it so it doesn't match the previous signature.
        • dpoloncsak2 hours ago
          Adding on here...

          VirusTotal is flagging the trello skill as suspucious because it Does NOT include an API key? Am i expected to share my keys if I want to upload a skill?

          https://clawhub.ai/steipete/trello

          "Requiring TRELLO_API_KEY and TRELLO_TOKEN is appropriate for Trello access, but the registry records no required env vars while SKILL.md documents them. This omission is problematic: the skill will need highly privileged credentials but the published metadata does not disclose that requirement. The SKILL.md also references 'jq' and uses curl, but these are not declared in the registry entry."

  • arnvald4 hours ago
    Do these skills actually provide much value? Like, how much better are they than something that I could tell Claude to generate based on a single API doc from Slack/Trello?
    • Flavius4 hours ago
      Zero. If a skill actually provides value, one of two things happens: it gets absorbed into Claude Code (or similar) within a week, or a company packages it up and charges real money for it. The "free skill that gives you an edge" window is essentially nonexistent. By the time you find it, everyone else has it too. You're better off learning to prompt well against raw API docs than chasing a library of pre-built skills that are either trivial to recreate or about to be made redundant.
    • clandry944 hours ago
      From my experience, most are just some high level instructions on how to use CLI tools installed on the system. A lot of the CLI tools they're calling out to have 0 reputation on Github or don't work at all.

      I've had more luck writing my own skills using CLI tools I know and trust.

      • CuriouslyC4 hours ago
        That's a big part of the reason skills are exploding, people use them as stealth marketing in addition to being a malware injection vector.
    • raffkede4 hours ago
      Skills is actually what also Claude code uses internally, it's cool because the llm will load the whole context on how to use it only on demand and keeps the context cleaner.
    • neya4 hours ago
      My understanding is that it's just an abstraction layer that feeds right into the context window. Might as well just feed it into the prompt. I think cursor even proved that skills aren't as good as direct prompts (or something to that extent, can't remember exactly)
    • mrexcess2 hours ago
      >Do these skills actually provide much value?

      IMO, yes. Gemini et. al. out of the box are good at composing, but are entirely passive. Skills enable you to - easily, with low code/no code - teach your AI to perform active tasks either upon direction or under any automatic conditions you specify. This is incredibly powerful. Incredibly dangerous, too, but so is a car when compared with a skateboard.

  • StevenNunez3 hours ago
    Does Openwork replace the need for openclaw? Seems like a more grown up version of it.
  • mrbluecoat2 hours ago
    > Upload AgentSkills bundles, version them like npm, and make them searchable with vectors. No gatekeeping, just signal.

    Sigh, when I read this and only understand "npm", I feel like retiring.

    • assimpleaspossi2 hours ago
      Half the stuff posted like this doesn't give a clue what it does at all much less use made up phrases that make no sense (to most of us).
  • incomingpain2 hours ago
    I have the clawhub skill disabled. You really shouldnt use it, especially when you can just have your claw create their own skills as needed.
  • etchalon4 hours ago
    How could a public repository of unverified skills that can be downloaded by casual users for a software tool that allows for un-gated access to private information, including financial information, possibly go wrong?

    "Don't worry, we have stars."

    Itchy and Scratchy land is open for business.

    • acidocious3 hours ago
      "Bort? Who the hell is called Bort?!"