[Bug]: Gateway does not pass ClawHub auth token for API calls, causing persistent 429 rate limits and empty "Available Skills" in ClawControl

[sudosar]

Bug type

Behavior bug (incorrect output/state without crash)

Summary

The gateway's searchSkillsFromClawHub function in skills-clawhub-YOAxk_cv.js never passes the ClawHub auth token (from ~/.config/clawhub/config.json) when calling listClawHubSkills or searchClawHubSkills. All gateway-initiated ClawHub API requests are unauthenticated, hitting the global 120 req/min rate limit instead of the per-user 600 req/min authenticated limit. This causes the ClawControl "Available Skills" tab to permanently show "No skills found on ClawHub" once the global rate limit is exhausted.

Additionally, the /api/v1/skills list endpoint returns empty results when authenticated (it filters to the user's own published skills only), so even if the token were passed to listClawHubSkills, the "browse all" flow would still return nothing. The /api/v1/search endpoint works correctly with auth.

Steps to reproduce

1. Install OpenClaw v2026.3.22 and log into ClawHub via clawhub login
2. 2. Start the gateway (openclaw gateway start)
3. 3. Open ClawControl → Skills → Available tab
4. 4. Observe "No skills found on ClawHub"
5. 5. Check gateway logs: openclaw logs | grep -i clawhub — shows ClawHubRequestError: ClawHub /api/v1/skills failed (429): Rate limit exceeded
6. 6. Run curl -sv https://clawhub.ai/api/v1/skills from the VPS — confirms ratelimit-remaining: 0 (global 120 limit exhausted)
7. 7. Run curl -s -H "Authorization: Bearer <clawhub_token>" https://clawhub.ai/api/v1/skills — returns {"items":[],"nextCursor":null} (empty, because authenticated list filters to user's own published skills)

Expected behavior

The gateway should read the ClawHub auth token from ~/.config/clawhub/config.json and pass it to all ClawHub API calls (listClawHubSkills, searchClawHubSkills, fetchClawHubSkillDetail, downloadClawHubSkillArchive). The "Available Skills" tab in ClawControl should display the full ClawHub skill catalog. Authenticated requests should use the per-user 600 req/min rate limit instead of the global 120 req/min unauthenticated limit.

Actual behavior

1. All gateway ClawHub API requests are unauthenticated, consuming the global 120 req/min rate limit shared across all users.
2. 2. The gateway hits 429 rate limits within seconds of starting, causing "No skills found on ClawHub" in ClawControl.
3. 3. Even if the token were passed, listClawHubSkills calls /api/v1/skills which returns empty {"items":[]} when authenticated (filters to user's own published skills).
4. 4. The /api/v1/search endpoint works correctly with auth and returns the full catalog.
      Workaround applied: Patched skills-clawhub-YOAxk_cv.js to load token from ~/.config/clawhub/config.json and route the "no query" browse path through /api/v1/search?q=* instead of /api/v1/skills.

OpenClaw version

2026.3.22

Operating system

Ubuntu 22.04

Install method

npm global

Model

N/A (this bug affects ClawHub skill browsing, not model inference)

Provider / routing chain

N/A (ClawHub API integration, not model routing)

Additional provider/model setup details

N/A — this bug is in the ClawHub skill marketplace integration, not model routing. The gateway's skills-clawhub-YOAxk_cv.js module makes unauthenticated HTTP requests to https://clawhub.ai/api/v1/skills and /api/v1/search without reading the locally stored ClawHub auth token.

Logs, screenshots, and evidence

Impact and severity

• Affected: All ClawControl users who have logged into ClawHub — the "Available Skills" tab is completely broken
• • Severity: Blocks workflow — users cannot browse or install skills from ClawHub via ClawControl
• • • Frequency: Always reproducible (100%) — the global 120 req/min rate limit is easily exhausted by any active gateway
• • • • Consequence: ClawHub skill marketplace is unusable from ClawControl; users must use CLI clawhub search as a workaround, which also hits rate limits quickly

Additional information

Root cause: In skills-clawhub-YOAxk_cv.js, the functions searchSkillsFromClawHub, listClawHubSkills, fetchClawHubSkillDetail, and downloadClawHubSkillArchive all accept a token parameter, but the gateway never passes it. The token is stored locally at ~/.config/clawhub/config.json after clawhub login, but the gateway code doesn't read it.

Two separate issues:

1. Without the token, requests use the global 120 req/min rate limit (shared across all unauthenticated users). Authenticated requests get 600 req/min per user.
2. 2. Even if the token is passed, the /api/v1/skills list endpoint returns only the user's own published skills when authenticated (empty for most users). The /api/v1/search endpoint works correctly with auth and returns the full catalog.
      Workaround applied: Patched skills-clawhub-YOAxk_cv.js to load the token from ~/.config/clawhub/config.json and route the "no query" browse path through /api/v1/search?q=* instead of /api/v1/skills.