feat: install GitHub-backed ClawHub skills

[Patrick-Erichsen]

Summary

• Resolve ClawHub installs through /api/v1/skills/:slug/install when no explicit version is requested.
• Support GitHub-backed install resolutions by downloading the resolved repo commit from GitHub codeload and copying only the resolved skill path into the local skills directory.
• Preserve the latest install-policy checks for both ClawHub archive installs and GitHub-backed installs.
• Report authenticated install telemetry to ClawHub after successful installs.
• Add unit and E2E coverage for GitHub-backed ClawHub skill installs.

Testing

• pnpm tsgo:core
• pnpm tsgo:test:src
• bunx vitest run src/skills/lifecycle/clawhub.test.ts --reporter=dot
• node scripts/run-vitest.mjs run --config test/vitest/vitest.e2e.config.ts src/cli/skills-cli.clawhub-install.e2e.test.ts --reporter=dot

[clawsweeper]

Codex review: found issues before merge. Reviewed June 4, 2026, 9:13 PM ET / 01:13 UTC.

Summary
The PR routes unversioned ClawHub skill installs through a new install resolver, adds GitHub codeload-backed skill downloads, reports install telemetry, and adds CLI/test coverage including a force-install option.

PR surface: Source +408, Tests +417, Other +4. Total +829 across 25 files.

Reproducibility: yes. for the blocking review path: source inspection shows the PR routes unversioned installs through /api/v1/skills/:slug/install, and a live check shows that endpoint returns 404 for an installable public skill while current detail/download endpoints still work.

Review metrics: 2 noteworthy metrics.

• New install control surfaces: 1 CLI option added, 2 env variable names added. The new --force-install flag and codeload host env aliases affect install behavior and source-download trust before merge.
• Default install path changed: 1 unversioned ClawHub install path changed. Normal openclaw skills install moves from detail/download resolution to the new resolver endpoint, which is an upgrade-sensitive workflow change.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦞 diamond lobster
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Preserve the current detail/download fallback or provide live default-registry resolver rollout proof before merge.
• [P2] Reject non-40-hex GitHub resolver commits, or verify content hashes before download, lockfile, and install-policy recording.

Risk before merge

• [P2] Merging before the public ClawHub resolver is deployed, or without a fallback, would make documented unversioned ClawHub skill installs fail against the default registry.
• [P1] The resolver GitHub commit field is accepted as an immutable source without client-side validation, so a mutable ref could be locked and evaluated as pinned provenance.
• [P1] The PR adds a production-reachable codeload host override for source downloads, which is a security-sensitive env surface that needs explicit maintainer comfort if it remains.

Maintainer options:

1. Preserve default install compatibility (recommended)
   Keep the existing detail/download fallback for resolver 404 or gate the resolver path until the public registry endpoint is live, then cover both default-registry and resolver installs in tests.
2. Land only after registry rollout proof
   Maintainers could accept the resolver-only behavior if the public ClawHub deployment is completed first and the PR includes live proof against https://clawhub.ai.
3. Pause for source trust hardening
   If the permanent GitHub-backed install contract is still unsettled, pause the PR until immutable commit validation and any codeload override policy are explicit.

Next step before merge

• [P2] Maintainer/API rollout and source-trust decisions are still needed, so this is not a conservative cleanup close or a safe autonomous repair lane candidate.

Security
Needs attention: The diff improves the token boundary for off-registry archive URLs, but the GitHub-backed source-download path still needs immutable-ref validation before merge.

Review findings

• [P1] Keep unversioned installs working until the resolver is live — src/skills/lifecycle/clawhub.ts:917-921
• [P1] Validate resolver commits before treating them as immutable — src/skills/lifecycle/clawhub.ts:924-929

Review details

Best possible solution:

Land a version that preserves the existing unversioned install path until the default ClawHub resolver is live, validates GitHub commit immutability before download/lock/policy, and keeps any source-download override intentional and documented.

Do we have a high-confidence way to reproduce the issue?

Yes for the blocking review path: source inspection shows the PR routes unversioned installs through /api/v1/skills/:slug/install, and a live check shows that endpoint returns 404 for an installable public skill while current detail/download endpoints still work.

Is this the best way to solve the issue?

No: the resolver approach is plausible, but the best merge shape must preserve the existing default install path until rollout is proven and must validate immutable GitHub commits before recording source provenance.

Full review comments:

• [P1] Keep unversioned installs working until the resolver is live — src/skills/lifecycle/clawhub.ts:917-921
  For unversioned ClawHub installs this now always calls the new install resolver. The public registry still returns 404 for an installable skill at /api/v1/skills/calendar/install, while /api/v1/skills/calendar and /api/v1/download?slug=calendar&version=1.0.0 work, so merging this before deployment or fallback handling would break documented openclaw skills install <slug>.
  Confidence: 0.97
• [P1] Validate resolver commits before treating them as immutable — src/skills/lifecycle/clawhub.ts:924-929
  The resolver's github.commit is accepted as the installed version, codeload ref, lockfile value, and mutable: false install-policy source. If the resolver returns main, a tag, or another non-40-hex ref, OpenClaw records mutable content as pinned provenance; reject non-commit refs or verify the content hash before download and policy evaluation.
  Confidence: 0.92

Overall correctness: patch is incorrect
Overall confidence: 0.94

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e282cb2af50c.

Label changes

Label justifications:

• P1: The PR can break a documented ClawHub install workflow for real users if merged before resolver rollout or fallback handling.
• merge-risk: 🚨 compatibility: Existing unversioned skill installs against the default public registry can fail because the new resolver endpoint currently returns 404.
• merge-risk: 🚨 security-boundary: The diff changes source download provenance and install-policy trust for GitHub-backed skill archives.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦞 diamond lobster and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (terminal): The contributor provided terminal proof from a real OpenClaw CLI process with a temporary resolver and real GitHub codeload archive; it is sufficient for the GitHub-backed path but does not settle public registry rollout.
• proof: sufficient: Contributor real behavior proof is sufficient. The contributor provided terminal proof from a real OpenClaw CLI process with a temporary resolver and real GitHub codeload archive; it is sufficient for the GitHub-backed path but does not settle public registry rollout.

Evidence reviewed

PR surface:

Source +408, Tests +417, Other +4. Total +829 across 25 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	7	460	52	+408
Tests	12	565	148	+417
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	6	39	35	+4
Total	25	1064	235	+829

Security concerns:

• [medium] Mutable resolver refs can be recorded as pinned source — src/skills/lifecycle/clawhub.ts:924
  The client uses latestResolution.github.commit directly as the codeload ref and immutable install-policy provenance without validating that it is a real commit SHA.
  Confidence: 0.92
• [low] Codeload host override broadens source-download trust — src/infra/clawhub.ts:476
  The production path reads OPENCLAW_CLAWHUB_GITHUB_CODELOAD_BASE_URL and CLAWHUB_GITHUB_CODELOAD_BASE_URL, allowing GitHub-backed installs to fetch archives from a different host while still using GitHub-style provenance.
  Confidence: 0.78

What I checked:

• Current main install path: Current main resolves unversioned ClawHub skill installs through skill detail metadata and then downloads /api/v1/download with the resolved version, preserving the documented openclaw skills install path. (src/skills/lifecycle/clawhub.ts:737, e282cb2af50c)
• PR install path: The PR branch changes unversioned installs to call fetchClawHubSkillInstallResolution at /api/v1/skills/:slug/install before any detail/download fallback. (src/skills/lifecycle/clawhub.ts:917, 9bf44b3a8d19)
• Live resolver rollout check: A live GET to https://clawhub.ai/api/v1/skills/calendar/install returned 404 Not found, while the same skill's detail endpoint returned 200, matching the contributor's note that the public resolver is not deployed yet.
• Existing live download path: A live GET to the current download path for calendar@1.0.0 returned HTTP 200, so the current public registry can still satisfy the shipped detail/download install flow that this PR bypasses.
• GitHub commit trust boundary: The PR uses latestResolution.github.commit as the installed version, codeload ref, origin commit, and immutable install-policy source without a 40-hex validation or content-hash check in the client path. (src/skills/lifecycle/clawhub.ts:924, 9bf44b3a8d19)
• Contributor proof: The contributor provided terminal proof from a real OpenClaw CLI process using a temporary local resolver and a real GitHub codeload archive from NVIDIA/skills; it proves the GitHub-backed path, but not public default-registry rollout. (231d0010c300)

Likely related people:

• steipete: Current-main blame for the ClawHub lifecycle and infra install helpers in this checkout points to Peter Steinberger commits, and GitHub history shows recent ClawHub skill/infra documentation touches by steipete. (role: recent area contributor; confidence: medium; commits: 6d58ff356227, 1275368151dd, 6c48a1256213; files: src/skills/lifecycle/clawhub.ts, src/infra/clawhub.ts)
• joshavant: GitHub history for the ClawHub lifecycle path shows the operator install policy work that this PR now feeds with GitHub-backed source metadata. (role: install-policy feature contributor; confidence: medium; commits: 154f439c8103; files: src/skills/lifecycle/clawhub.ts, src/skills/lifecycle/archive-install.ts, src/security/install-policy.ts)
• shakkernerd: GitHub history for the ClawHub lifecycle path shows a recent skills subsystem layout refactor, making this a useful routing candidate for lifecycle boundaries. (role: skills subsystem refactor contributor; confidence: medium; commits: d9278c8efdb5; files: src/skills/lifecycle/clawhub.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[Patrick-Erichsen]

GitHub-backed ClawHub install proof for 231d0010c3007e35315cca13c34914c70b9c0447.

I fixed the resolver archive URL auth boundary and added regression coverage that ambient ClawHub tokens are not sent to off-registry resolver archive URLs.

Local validation:

pnpm docs:list
PASS

pnpm lint --threads=8
PASS

pnpm tsgo:core
PASS

pnpm tsgo:test:src
PASS

bunx vitest run src/infra/clawhub.test.ts src/skills/lifecycle/clawhub.test.ts --reporter=dot
Test Files  2 passed (2)
Tests  85 passed (85)

node scripts/run-vitest.mjs run --config test/vitest/vitest.e2e.config.ts src/cli/skills-cli.clawhub-install.e2e.test.ts --reporter=dot
Test Files  1 passed (1)
Tests  1 passed (1)

pnpm exec vitest run --config test/vitest/vitest.agents-core.config.ts src/agents/workspace-templates.test.ts --reporter=dot
Test Files  1 passed (1)
Tests  5 passed (5)

pnpm exec vitest run --config test/vitest/vitest.agents-tools.config.ts src/agents/tools/pdf-tool.model-config.test.ts --reporter=dot
Test Files  1 passed (1)
Tests  12 passed (12)

Manual source-backed install proof:

• Real OpenClaw CLI process
• Temporary local ClawHub install resolver
• Real GitHub codeload archive from NVIDIA/skills
• Pinned source commit bb0436faf7c9c5270f2dbc3d30c39379e5e2305b
• Skill path skills/aiq-deploy
• Temp state path redacted

Manual GitHub-backed ClawHub install proof
startedAt=2026-06-04T23:58:28.496Z
resolver=http://127.0.0.1:<port>
source=https://github.com/NVIDIA/skills/tree/bb0436faf7c9c5270f2dbc3d30c39379e5e2305b/skills/aiq-deploy
command=OPENCLAW_STATE_DIR=<temp> OPENCLAW_CLAWHUB_URL=<local-resolver> openclaw skills install aiq-deploy --global
exitCode=0
--- stdout ---
Downloading aiq-deploy@bb0436faf7c9c5270f2dbc3d30c39379e5e2305b from GitHub...
Installing to <temp>/skills/aiq-deploy...
Installed aiq-deploy@bb0436faf7c9c5270f2dbc3d30c39379e5e2305b -> <temp>/skills/aiq-deploy
--- stderr ---
<empty>
--- resolver requests ---
GET /api/v1/skills/aiq-deploy/install
POST /api/cli/telemetry/install
--- installed files ---
SKILL.md size=13321 firstLine="---"
skill-card.md size=4067
--- telemetry summary ---
[
  {
    "rootCount": 1,
    "skills": [
      {
        "slug": "aiq-deploy",
        "version": "bb0436faf7c9c5270f2dbc3d30c39379e5e2305b"
      }
    ]
  }
]

https://clawhub.ai does not have the new install resolver deployed yet, so this proof uses a temporary local resolver while preserving the important external boundary: install bytes came from GitHub codeload for the pinned NVIDIA commit, not from a mocked zip.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26986949293
• Updated: 2026-06-05T00:09:25.858Z

[Patrick-Erichsen]

Follow-up after addressing the ClawSweeper finding and CI failures:

• Fixed the token-leak review finding: GitHub-backed archive URLs no longer receive the ambient OPENCLAW_CLAWHUB_TOKEN when the resolver returns an absolute non-ClawHub URL.
• Added a regression test proving the codeload request is made without Authorization.
• Fixed the heartbeat template regression from the first CI pass by keeping the canonical comment-only template non-actionable and teaching heartbeat parsing to ignore single-line HTML comments.
• Uploaded the manual GitHub-backed install proof here: feat: install GitHub-backed ClawHub skills #90478 (comment)

Local verification run:

git diff --check
pnpm lint --threads=8
pnpm tsgo:core
pnpm tsgo:test:src
bunx vitest run src/infra/clawhub.test.ts --reporter=dot
bunx vitest run src/infra/clawhub.test.ts src/skills/lifecycle/clawhub.test.ts --reporter=dot
node scripts/run-vitest.mjs run --config test/vitest/vitest.e2e.config.ts src/cli/skills-cli.clawhub-install.e2e.test.ts --reporter=dot
pnpm exec vitest run --config test/vitest/vitest.commands.config.ts src/commands/doctor-heartbeat-session-target.test.ts src/commands/doctor-heartbeat-template-repair.test.ts src/commands/doctor-session-locks.test.ts src/commands/doctor-session-snapshots.test.ts src/commands/doctor-session-state-providers.test.ts src/commands/doctor-session-transcripts.test.ts --reporter=dot
pnpm exec vitest run --config test/vitest/vitest.agents-core.config.ts src/agents/workspace.test.ts src/agents/workspace-templates.test.ts --reporter=dot
pnpm exec vitest run src/auto-reply/heartbeat.test.ts --reporter=dot

CI verification:

• Manual full CI passed: https://github.com/openclaw/openclaw/actions/runs/26987324105
• The two previously failing shards are green in that run:
  • checks-node-agentic-agents-core-runtime
  • checks-node-agentic-commands-doctor-sessions-cron

Note: the manual CI workflow was dispatched from main with target_ref=pe/clawhub-github-backed-installs, so the Actions page displays the workflow file SHA from main, while the preflight checkout resolved and tested the PR branch.