- Web/API: surface an "API key required" attribute on skills so listings, cards, and detail views show whether a skill needs an LLM API key, with publish-time inference from skill prompts and metadata (#2353) (thanks @momothemage).
- API: fix
GET /api/v1/skillspagination socursoradvances to the next page instead of repeating the first page for supported non-trending sorts (#2275) (thanks @vyctorbrzezowski, @enerj).
- CLI/API: add self-serve org publisher creation with
clawhub publisher create <handle>and scoped package publish errors that point to the command.
- CLI/API: make package publishes robust under parallel same-publisher release jobs by avoiding unnecessary shared publisher writes, retrying transient Convex contention, and labeling contention separately from package validation failures (#2291).
- Security: move upload ClawScan classification to a GitHub Actions Codex worker, treat VirusTotal as telemetry-only signal, and trust verified
@openclaw/*plugin packages by default. - Security: cancel pending skill ownership transfers before rejecting accept attempts when the requester is inactive or the skill is hidden, removed, or malicious (#2276, #2277) (thanks @vyctorbrzezowski).
- API/CLI: fix package delete returning 500 for packages with capability tags when no capability search digest row existed yet (#2212) (thanks @momothemage).
- API: return a clear 400 for
/api/v1/packages/searchwithout a non-emptyqinstead of treatingsearchas a package name (thanks @vyctorbrzezowski). - Web/API: keep search results limited to items with match evidence, preserve trust and popularity as tie-breakers, and show
N+counts without exact count queries (#2206) (thanks @vyctorbrzezowski). - Web: preserve
ownerHandlethrough legacy skill publish redirects so org admins land in the correct new-version owner context (#2177). - Settings: save display name/bio changes even when a legacy personal publisher handle conflict prevents publisher profile sync (#1199).
- Auth: show a visible error if the GitHub sign-in request fails before the provider redirect starts (#2197).
- Schema: include
.tsv,.conf,.properties, and.datin the exported text-file allowlist and regenerate the committed schema package runtime (#2172, #874) (thanks @alexuser). - API: return
400for invalid known public package filters and invalid skill list sort values, while continuing to ignore unknown query parameters (#2184). - API/docs: document v1 plain-text error responses and expose owner metadata in the OpenAPI search result schema (#2187) (thanks @vyctorbrzezowski).
- Web: rank publisher card preview items by downloads instead of recent publish order (thanks @vyctorbrzezowski).
- Web: remove the desktop Files tab height cap and make mobile truncation explicit (thanks @vyctorbrzezowski).
- Web: keep skill/plugin detail tabs at mobile-friendly touch target height.
- CLI/API: include skill owner handles in search results so duplicate/common slugs are easier to disambiguate (thanks @vyctorbrzezowski).
- Web: let skill publishers pick a curated lucide icon for cards and listings (#2174) (thanks @momothemage).
- Web/API: add keyword-based plugin categories plus API-backed plugin search sorting for recently updated, newest, and name (#2118) (thanks @vyctorbrzezowski).
- Web: polish the starred skills page with grid/list controls, sorting, and optimistic unstar behavior (#2159) (thanks @vyctorbrzezowski).
- API/docs: expand the v1 OpenAPI contract with package/plugin catalog endpoints and align documented rate limits with the server constants (#2186) (thanks @vyctorbrzezowski).
- Admin/Ops: audit profile syncs, self-service account/profile changes, personal publisher syncs, and org trusted-publisher changes so slug and ownership investigations have a complete ledger.
- Dependencies: update production
@clack/prompts,tailwind-merge, andyamldependencies (#2198).
- Web: polish dashboard artifact cards, loading skeletons, skill summary/detail layout, and adoption metrics after the 0.14 release (#2150, #2153, #2156, #2157, #2158, #2160).
- Docs/dev: clarify pre-PR validation gates for local contributors (#2161).
- Web: show plugin settings actions to package managers and preserve manager access in dashboard rows (#2163, #2168).
- Web: refresh skill star state after mutations and keep skill tabs from causing horizontal scroll (#2154, #2155).
- Web: show owner names when handles are hidden, and clarify editable skill summary settings copy (#2151, #2162).
- Dashboard: add a publisher switcher so org-owned skills and plugins are visible to org admins after transfer or publish (#2132).
- Web: let org publishers/admins republish transferred org-owned skills without the publish form treating the existing slug as taken, including legacy users with synthesized personal publishers (#2171).
- CLI: send skill ownership command payloads as JSON objects so rename/merge operations reach the API correctly (#1300).
- CLI: keep an install fingerprint in skill origin metadata so
clawhub update <skill>does not report fresh installs as local changes when the server cannot resolve the current hash (#169). - CLI: migrate cached
registry.clawhub.airegistries back toclawhub.aisoclawhub exploreno longer talks to the retired Vercel deployment (#1098). - CLI: publish
.tsv,.conf,.properties,.dat, and safe extensionless text files while excluding dotfiles and sampling extensionless files before full reads (#874). - Tests: remove obsolete rescan e2e probes that no longer match current moderation behavior (#2152).
- Web: add publisher notes and unify ClawScan review pages (#2111).
- Dev: auto-start services for Codex worktrees and add a local dev persona FAB (#2146, #2147).
- Dev: add a local ClawScan dry-run helper script (#2143).
- API: return deterministic 403 responses for skill/package rescan and package transfer permission denials, with CI e2e coverage for protected write endpoints.
- Web: redesign Settings into focused account, organization, API token, and account deletion views with responsive desktop and mobile layouts (#2134) (thanks @vyctorbrzezowski).
- Web: replace the Users directory with a Publishers discovery surface covering builders and organizations, add
/publishersas the canonical route, and keep/userscompatibility (#2087) (thanks @vyctorbrzezowski). - Web: polish browse/listing surfaces across skills, plugins, and search, including plugin card view parity, clearer search controls, visible safety filtering, and more consistent card metadata treatment (#2084) (thanks @vyctorbrzezowski).
- Web: allow skill owners and publisher admins to edit a skill summary from the detail page (#1411) (thanks @SylvanXiao).
- CLI/Auth: add device-code login for remote or headless shells, backed by ClawHub device authorization endpoints (#1867) (thanks @LumenFromTheFuture).
- CLI: add per-skill pinning so installed skills can be frozen against direct updates, bulk updates, and force reinstalls (#1806) (thanks @deepujain).
- Web: rename the skills and plugins browse alternate view from Cards to Grid while keeping legacy
view=cardsURLs compatible (#2119) (thanks @vyctorbrzezowski). - Dev docs: refresh generated Convex AI guidance files (#2000).
- Moderation: stop treating VirusTotal Code Insight/Palm verdicts as a hide authority for skills; real AV-engine hits and ClawScan findings still contribute moderation verdicts.
- Moderation: stop treating static suspicious-only findings as a verdict; keep file/line evidence for review while VT/LLM decide public suspicious status.
- ClawScan: reduce false positives for scoped uninstall cleanup, declared provider login flows, Basic Auth/base64 handling, and user-directed provider uploads while hard-blocking stealth browser abuse patterns.
- ClawScan: lower false positives by treating purpose-aligned notes as benign unless structured LLM findings contain a material concern, and add targeted rescan batches for suspicious skills/plugins.
- Moderation: split visible ClawScan review guidance from hidden suspicious filtering, and add operator cleanup for stale aggregate rows and obvious test/placeholder suspicious skills.
- Security: add an admin-only moderation hold lift path for false-positive publisher holds, with audited skill restoration that preserves independently hidden skills (#1133) (thanks @Justincredible-tech).
- Moderation: let platform moderators and admins trigger skill/package security rescans for any owner from the CLI, without consuming the owner recovery cap.
- ClawScan: include package
openclaw.environmentenv/config declarations in package review prompts so declared plugin runtime requirements are not reported as missing (#2013). - Skills/Packages: let publisher admins manage owned lifecycle operations consistently, including skill rename/delete/restore, direct skill moves into org publishers they administer, package restore from the CLI/API, and direct moves back to their personal publisher.
- Skills: repair publisher-owned skill merges, bound historical slug redirects, block protected slug namespaces, and expire owner-unpublished slug reservations after 30 days (#2115) (thanks @fuller-stack-dev).
- Skills: allow confirmed owner migration when republishing an existing skill to another publisher, preserving versions, stats, aliases, and audit history (#1998, #2102) (thanks @momothemage).
- Security: block owner delete/undelete paths from overriding moderator or scanner hides, and return explicit 403 authz responses for owner restore denials (#2078) (thanks @momothemage).
- CLI/API: send skill transfer payloads as JSON objects so transfer requests reach the API correctly.
- Packages: keep package search digests schema-safe during delete/restore so package lifecycle CLI calls do not fail after provenance updates.
- Search: recall skill matches by non-first slug/display-name tokens while keeping multi-token queries on the direct recall path constrained to all query tokens (#2140) (thanks @momothemage).
- Search/Web: disclose when
/searchis hiding suspicious skills and add an explicit opt-out so unified search no longer silently differs from/skillsfor the same query (#2079) (thanks @momothemage). - Uploads: accept PowerShell
.ps1,.psm1, and.psd1files as text-based skill files while keeping normal scan coverage (#897) (thanks @cute-omega). - Packages: count package install stat events separately from package downloads and record npm tarball fetches as installs (#1712).
- Web: keep the Publishers directory responsive for high-volume publishers by using bounded published-item previews, and abort stale unified-search plugin requests during route changes.
- Web: point skill, plugin, and soul owner links directly at canonical
/p/:handlepublisher profiles instead of legacy redirect routes. - Web/API: ignore stale public skill-list cursors from older sort or safety-filter indexes instead of throwing pagination errors.
- Web: restore dashboard skill metrics for owned skills and use pointer cursors on dropdown menu items (#2113) (thanks @fuller-stack-dev).
- Web: show the skills browse
Hide suspiciouscontrol only when the loaded results include suspicious skills (thanks @vyctorbrzezowski). - Web: align signed-in header avatar controls across desktop and mobile so the menu trigger keeps consistent sizing, truncation, and dropdown styling (#2124) (thanks @vyctorbrzezowski).
- Web: constrain settings, profile content, skill detail, and plugin detail pages to the header content width while preserving profile hero bleed (thanks @vyctorbrzezowski).
- Web: show publish-page validation next to the relevant fields and upload picker so invalid inputs are not buried below the form (#908) (thanks @AndyZhengyan).
- Docs: remove README references to the inactive onlycrabs.ai domain while leaving the internal SoulHub configuration generic (#951) (thanks @muescha).
- Docs/dev: document the local Convex site proxy URL and make worktree setup reject misconfigured local site URLs that break HTTP routes (#2060) (thanks @vyctorbrzezowski).
- Dev setup: make local seed reset deterministic by cleaning stale seed lookup and badge rows for repeated Convex dev runs (#2057) (thanks @vyctorbrzezowski).
- CLI/API: allow skill publishes to target an org/user publisher with
--owner/ownerHandle, and keep rootSKILL.mdpublishable even when broad ignore rules match Markdown files (thanks @deepujain). - Packages: expose owned plugin/package soft-delete in the CLI and dashboard, keep moderator takedown access, and remove deleted packages from package search surfaces (thanks @Patrick-Erichsen).
- Packages: support monorepo package publishes, infer package owners from scoped names, and keep dry-run publishes metadata-only.
- Packages: validate code-plugin runtime entries against extracted files, allow admin plugin release publishes, and raise trusted-publish/admin API rate limits for legitimate publish bursts.
- API/Search: return lean skill list payloads, route package search through digest indexes, decode scoped package paths, and bound fallback scans to reduce production read pressure.
- Web: restore skill downloads and search paging, canonicalize scoped plugin paths, and improve mobile layout responsiveness.
- Security: add scanner checks for confirmation bypasses and Python file upload exfiltration while reducing generic false-positive package tags.
- CLI: publish code plugins as clawpacks and allow legacy package downloads to keep older install flows working.
- API: resolve scoped package routes and accept scoped npm packuments.
- Schema: allow nullable package SHA values in package responses and refresh generated schema artifacts.
- Packages: add clawpack parsing, uploads, mirror artifact routes, artifact downloads, release moderation, reports, appeals, and official migration management across API, dashboard, and CLI.
- Security: add ClawScan security surfaces, owner rescan guidance, scanner-specific report pages, security dataset snapshots, and redacted skill-content exports.
- CLI: add unban support, moderation diagnostics in
inspect, manual skill-directory listing, package environment filters, and package migration-status commands. - Web: add skills/plugins search typeahead, featured plugin curation, plugin management tools, skill upload shortcuts, and dashboard pagination.
- API: raise public read rate limits to reduce false-positive 429s from browser pages and production smoke tests (thanks @steipete).
- CLI/moderation: allow
delete,hide,undelete, andunhideto record moderation reasons in skill notes and audit logs for legal or policy reviews (thanks @steipete). - Packages: make package publish retries idempotent, constrain catalog queries, keep package list queries single-page, count package archive downloads, and keep beta plugin packages off
latest. - Search: add soul lexical fallback, non-suspicious digest indexes, normalized skill prefix recall, and more stable relevance recall windows.
- Security: broaden static scanner coverage for unsafe credential, subprocess, browser-file, provider-secret, and remote-recipe patterns while hardening prompt-boundary handling.
- Deploy/CI: harden production smoke checks, expand PR validation coverage, add dead-code gates, and stabilize CodeQL light coverage.
- Dependencies: pin
undicion the Node 20-compatible line after reverting the incompatible v8 update.
- Security: add owner rescan requests, owner flagged inventory, scanner-specific security pages, and in-progress scan states.
- UI: adopt shadcn-managed primitives and polish the rescan/security surfaces for mobile.
- Moderation: calibrate VirusTotal Code Insight suspicious verdicts so uncorroborated AI-only findings do not keep otherwise clean skills quarantined (#1830, #1841) (thanks @deepujain).
- Security: flag exposed secrets in skill docs and normalize VirusTotal engine stats before caching.
- Packages: constrain plugin catalog queries and avoid catalog/package-list query limits.
- Auth: tolerate stale auth state when reading star status.
- CI: harden and debounce ClawSweeper dispatch workflows and fix production smoke coverage.
- Docs: clarify that ClawHub does not support paid skills, per-skill pricing, or paywalled releases (#1752, #1844) (thanks @deepujain).
- API docs: clarify how third-party directories can reuse public ClawHub catalog endpoints while respecting rate limits and canonical links (#1825, #1845) (thanks @deepujain).
- Packages docs: document the required fields for code-plugin package publish flows (#1802) (thanks @deepujain).
- Search: add CJK tokenization support (Chinese/Japanese/Korean) with Intl.Segmenter plus fallback behavior to improve skill query matching (#1596) (thanks @pq-dong).
- Stats: centralize migrated skill stat fallback reads through
readCanonicalStat()and add schema/agent guardrails to discourage direct legacy nested-field access (#1709) (thanks @momothemage).
- Packages: use the configured
GITHUB_TOKENfor trusted-publisher repository identity lookups to avoid anonymous GitHub API rate limits during publish setup (#1820, #1846) (thanks @deepujain). - Packages: keep package search fallback scans bounded, stop scanning after the requested result limit, and keep direct plugin-name matches scoped to the requested package family (OpenClaw #64025).
- Moderation: stop flagging declared env vars sent to their intended API while preserving broad env scraping and exfiltration findings (#1803) (thanks @deepujain).
- Moderation: stop treating generic webhook integration docs as suspicious unless they include explicit Discord or Slack webhook endpoints (#1716) (thanks @langningchen-openclaw).
- Search: increase initial vector candidate pools and align CLI search's default limit with the web UI so high-scoring matches are not missed at small limits (#1375, #1429) (thanks @tjefferson).
- Search: fall back to lexical skill search when embedding generation fails instead of returning empty skill results (#1291) (thanks @goulonghui).
- Search: rank exact slug matches above longer slugs that merely contain all query tokens (#1130) (thanks @QuinnH496).
- Search: widen lexical fallback coverage and scan recently created skills so newly published skills can be found before embeddings rank well (#1185, #1200) (thanks @thirumaleshp).
- Search: preserve vector scores across candidate expansion and require all query tokens to match exact-token filters so relevant skills are not crowded out (#1759, #1762) (thanks @LinPower).
- Stats maintenance: keep skill stat migration fields synchronized by treating top-level stat fields as canonical during backfill/reconcile fallback reads (#1704) (thanks @momothemage).
- Skill install: render OpenClaw CLI commands with the bare slug that the current CLI accepts (#1807).
- Skills: keep historical tags out of public skill detail surfaces while preserving manager visibility (#1804) (thanks @deepujain).
- Skills moderation: keep hash-based scanner callbacks from overwriting skill-level moderation for older versions (#1805) (thanks @deepujain).
- Skills: prevent backport publishes from clobbering
lateststate and guard malformed persisted latest semver values during publish comparisons (#1832) (thanks @momothemage).
- Design system: introduce a shared UI component library (
src/components/ui/) built on Radix UI primitives — Button, Card, Badge, Tabs, Dialog, Input, Textarea, Label, Select, Avatar, Separator, Tooltip, ScrollArea, Sheet, Skeleton, and Table — following the shadcn/ui pattern withcn()+ Tailwind utilities. - Design system:
ButtonsupportsasChildvia Radix Slot for polymorphic rendering (e.g., wrapping<Link>without extra DOM). - Layout: add
Containercomponent withnarrow/default/widesize presets andBreadcrumbcomponent for hierarchical navigation. - Loading: add skeleton loading states (
SkillCardSkeleton,SkillDetailSkeleton,DashboardSkeleton) replacing text-based "Loading..." indicators with animated placeholders. - Errors: add
ErrorBoundarywithresetKeyprop that auto-resets on route changes, wired into the root layout. - Errors: surface fallback messages from Convex API error payloads in mutation/action error toasts.
- UX: add
EmptyStatecomponent with icon, headline, description, and optional CTA action used across dashboard, stars, profile, and publish pages. - UX: add confirmation dialogs for destructive skill ownership actions (transfer, abandon).
- Markdown: add
MarkdownPreviewcomponent withreact-markdown,remark-gfm, andreact-syntax-highlighterfor rich rendering of skill/plugin READMEs with syntax-highlighted code blocks, GFM tables, and task lists. - Markdown: render tables with the new
TableUI primitive for consistent styling across skill docs. - Navigation: replace DropdownMenu-based mobile nav with a slide-out
Sheetpanel. - Validation: add Zod schemas (
src/lib/schemas.ts) for publish-skill, settings, report, and org forms. - Management: restore capability-tags UI (crypto, requires-wallet, can-make-purchases, etc.) that was silently removed during the initial refactor.
- Management: add
.catch()error handling with toast feedback onsetSoftDeletedcalls; prompt for hide/restore reasons.
- CSS: migrate from a monolithic 5,161-line
styles.cssto Tailwind utilities on components, pruning CSS to ~1,000 lines (81% reduction). Dark mode now uses Tailwinddark:variants via a@variant darkdirective bridging existing CSS custom properties. - Tailwind: add
@themeblock mapping all CSS design tokens (--bg,--surface,--ink,--accent,--line,--radius-*, etc.) into first-class Tailwind utilities. - Pages: modernize all route pages (home, skills browse, skill detail, dashboard, settings, publish-skill, publish-plugin, import, about, CLI auth, stars, souls, user profile, org profile, management, plugins browse, plugin detail) from CSS class selectors to Tailwind + UI primitives.
- Skills browse: widen container to
wide(1400px) for better use of screen space on desktop; same for plugins browse. - Skills browse: replace text-based filter toggles with pill chips and modernize toolbar layout.
- Skill detail: migrate tab controls from CSS-styled buttons to Radix
Tabsprimitive with properrole="tab"accessibility. - Skill detail: replace inline CSS class-based install card with
SkillInstallCardusing Card + Button primitives. - Header/Footer: migrate from CSS classes to Tailwind utilities with responsive Sheet-based mobile navigation.
- Dashboard: replace CSS table layout with
TableUI primitive; add metric cards and skeleton loading. - Settings: modernize form inputs with
Input/Textarea/Labelprimitives and structured layout. - Publish: use
Dialogprimitive for modals; inline validation indicators; modernized file list display.
- Auth:
EmptyState"Sign in" button on publish page now triggers GitHub OAuth viauseAuthActionsinstead of linking to non-existent/signinroute. - API: fix plugins page dev-mode
{"error":"Only HTML requests are supported here"}by routing SSR and localhost API fetches directly to the Convex site URL instead of through TanStack Start's request pipeline. - API: fix CORS error when
credentials: "include"conflicts withAccess-Control-Allow-Origin: *by making credentials conditional on same-origin requests. - API: fix SSR
packageApiUrlto always useVITE_CONVEX_SITE_URLdirectly, avoidinggetRequestUrl()failures when SSR request context is unavailable. - Management: restore
setSoftDeletedreason parameter for hide/restore actions. - Tests: rename
settings.test.tsxto-settings.test.tsxto exclude from TanStack Router's file-based route discovery. - Tests: add
@convex-dev/auth/reactmock foruseAuthActionsin upload route tests. - Tests: update skill detail tests for Radix tab roles (
role="tab"instead ofrole="button"), skeleton loading classes (animate-pulse), and capability tag data. - Tests: update skills index tests for refreshed UI copy (placeholder text, empty state wording, loading indicator patterns).
- Tests: update SkillDiffCard tests for Tailwind active-tab class (
shadow-smreplacing.is-active). - Tests: update packages publish route tests for Tailwind border classes.
- Tests: update packageApi tests for conditional credentials and SSR URL resolution.
- Packages/Plugins: add a first-class OpenClaw package registry across the web app, CLI, and HTTP API. ClawHub now supports package browse/search/detail/version/file/download flows plus
clawhub package explore,clawhub package inspect, andclawhub package publishforskill,code-plugin, andbundle-pluginpackages. (#1093) - Packages/Install: package downloads now ship install-ready archives with a
package/root, support nested files likedist/index.js, and work directly with OpenClaw plugin install flows. - Skills/Web: server-render public skill pages and OG assets for faster first loads, cleaner sharing previews, and better cache behavior.
- Browse/Search: rebuild public browse/search around denormalized digests, one-shot HTTP fetches, and deterministic cursors so the homepage and
/skillsare faster, more cacheable, and less likely to hit stale-tab or pagination dead ends. - Search: default skill search to relevance, keep load-more retryable after fetch failures, and tighten package/skill catalog query paths to reduce inconsistent results under load.
- Packages/Auth: authenticated owners can now list, search, inspect, download, and read files from their own private packages instead of private packages being direct-URL-only. (#1093)
- Packages/API: stabilize package latest-version pointers, cursor pagination, publish outputs, fallback release resolution, and app-origin auth handling so package publish/search/install flows stay reliable.
- Visibility/API: prevent skills owned by deleted/banned users from showing up in public detail pages, browse/search results, or version API routes.
- Skills/API: sanitize public skill and soul version/file reads so hidden or invalid version data does not leak through direct API access.
- Skills/Web: keep Monaco compare layout toggles reliable while defaulting narrow screens to inline mode (#828) (thanks @geoffrey-xiao).
- Skills/Web: show skill owner avatar + handle on skill cards, lists, and detail pages (#312) (thanks @ianalloway).
- Skills/Web: add file viewer for skill version files on detail page (#44) (thanks @regenrek).
- CLI: add
uninstallcommand for skills (#241) (thanks @superlowburn). - Skills/API/CLI: add ownership transfer workflow with request/list/accept/reject/cancel flows.
- Skills/Web/API: surface platform/architecture labels and security evaluation results in v1 + inspect views (#499, #362).
- API: add structured skill moderation responses plus
GET /api/v1/skills/{slug}/moderationwith redacted public evidence and full owner/staff detail (#334) (thanks @ArthurzKV). - Moderation: persist structured moderation snapshots (static scan + VT/LLM merged verdict, reason codes, and evidence) on skills and versions (#333) (thanks @ArthurzKV).
- API: add scan security verification endpoint and non-suspicious filters (#820).
- Users: add
trustedPublisherflag and admin mutations to bypass pending-scan auto-hide for trusted publishers (#298) (thanks @autogame-17). - Moderation: add comment reporting with per-user active report caps, unique reporter/target enforcement, and auto-hide on the 4th unique report.
- Moderation: add AI-driven comment scam backfill (
commentModeration:*) with persisted verdict/confidence/explainer metadata and strict auto-ban forcertain_scam+highconfidence. - Admin: add manual unban for banned users (clears
deletedAt+banReason, audit log entry). Revoked API tokens stay revoked. - Admin: bulk restore skills from GitHub backup; reclaim squatted slugs via v1 endpoints + internal tooling (#298) (thanks @autogame-17).
- Moderation/Admin: add manual override audit tools for suspicious-skill review.
- CI/Security: add TruffleHog pull-request scanning for verified leaked credentials (#505) (thanks @akses0).
- Skills: make published skill licensing explicit and fixed to MIT-0; require publish consent, surface no-attribution messaging in web/CLI/API, and remove per-skill license metadata.
- Skill metadata: support env vars, dependency declarations, author, and links in parsed manifest metadata + install UI (#360) (thanks @mahsumaktas).
- Rate limiting: apply authenticated quotas by user bucket (vs shared IP), emit delay-based reset headers, and improve CLI 429 guidance/retries (#412) (thanks @lc0rp).
- Skills: reserve deleted slugs for prior owners (90-day cooldown) to prevent squatting; add admin reclaim flow (#298) (thanks @autogame-17).
- Moderation: ban flow soft-deletes owned skills (reversible) and removes them from vector search (#298) (thanks @autogame-17).
- Security/docs: document comment reporting/auto-hide behavior alongside existing skill reporting rules.
- Security/moderation: add bounded explainable auto-ban reasons for scam comments and protect moderator/admin accounts from automated bans.
- Moderation: banning users now also soft-deletes their authored comments (skill + soul), including legacy cleanup on re-ban.
- Quality gate: language-aware word counting (
Intl.Segmenter) and newcjkCharssignal to reduce false rejects for non-Latin docs. - Jobs: run skill stat event processing every 5 minutes (was 15).
- Deploy: add frontend/backend drift detection plus hardened production smoke/deploy checks.
- API performance: batch resolve skill/soul tags in v1 list/get endpoints (fewer action->query round-trips) (#112) (thanks @mkrokosz).
- LLM helpers: centralize OpenAI Responses text extraction for changelog/summary/eval flows (#502) (thanks @ianalloway).
- Search/listing performance: cut embedding hydration and badge read bandwidth via
embeddingSkillMap+ denormalized skill badges; shift stat-doc sync to low-frequency cron (#441) (thanks @sethconvex). - Search/listing performance: move public browse/search hydration onto
skillSearchDigest, add non-suspicious index paths, and split trending rebuilds to stay under Convex document limits.
- API: accept legacy CLI publish payloads during the v1 migration (#815).
- Auth/UI: surface OAuth callback failures in the web UI instead of swallowing them (#688).
- Skills: allow ownership healing when the previous owner was deleted/banned, and sanitize owner data in public payloads (#689, #793).
- CLI: validate explicit
install --force --versiontargets before removing an existing local skill, preventing data loss when the requested version does not exist (#825) (thanks @jonathandeamer). - Skills/Web: debounce search URL updates on
/skillsto keep typing responsive, and cancel stale pending navigations on external query changes (#587) (thanks @neeravmakwana). - Upload: keep folder-picking enabled after page refresh by reapplying
webkitdirectory/directoryon the file input ref (#551) (thanks @MunemHashmi). - CLI publish: use a longer multipart upload timeout and normalize abort rejections into proper Errors (#550) (thanks @MunemHashmi).
- CLI: forward optional auth tokens for
searchandexploreagainst authenticated registries (#608) (thanks @artdaal). - CLI: respect
HTTPS_PROXY/HTTP_PROXY/NO_PROXYenv vars for outbound registry requests, with troubleshooting docs (#363) (thanks @kerrypotter). - CLI: preserve registry base paths when composing API URLs for search/inspect/moderation commands (#486) (thanks @Liknox).
- CLI: show manual URL guidance when automatic browser opening is unavailable; add regression tests for opener errors (#163) (thanks @aronchick).
- API/CLI: expose skill security status in version inspect output, with schema wiring and CLI regression coverage (#362) (thanks @abutbul).
- Moderation: remove over-broad keyword flags for common auth/payment/crypto terms so legitimate skills stop tripping regex prefilters (#273) (thanks @superlowburn).
- Skills hard-delete: delete
commentReportsrows during moderation cleanup to avoid orphaned report records. - Comments: hide entries authored by deleted/deactivated users in
comments:listBySkill. - Admin API:
POST /api/v1/users/reclaimnow performs non-destructive root-slug owner transfer (preserves existing skill versions/stats/metadata) and clears active slug reservations. - VirusTotal: use shared AV-engine fallback verdict mapping for pending/backfill flows and keep undetected-only results pending (#591) (thanks @Shuai-DaiDai).
- Skills/listing: keep non-suspicious browse pagination on one cursor family during
isSuspiciousbackfill, and re-sync stalelatestVersionSummarymetadata fields (#572) (thanks @sethconvex). - PWA: update
manifest.jsonbranding so installed apps show the correct ClawHub name (#569) (thanks @Glucksberg). - Search/tests: cover soft-deleted skill filtering in vector hydration and lexical exact-slug fallback (#552) (thanks @MunemHashmi).
- Docs/dev: fix local setup instructions for Node support, Convex env vars, frontend port, and post-seed stats refresh (#584) (thanks @jack-piplabs).
- Docs/CLI: fix
exploreflag list indentation so--limitrenders correctly in the command reference (#601) (thanks @gandli). - Skill metadata: parse top-level
requires.*,primaryEnv, and homepage fallbacks for security review accuracy (#548) (thanks @MunemHashmi). - Users: sync handle on ensure when GitHub login changes (#293) (thanks @christianhpoe).
- Users/Auth: throttle GitHub profile sync on login; also sync avatar when it changes (#312) (thanks @ianalloway).
- Upload gate: fetch GitHub account age by immutable account ID (prevents username swaps) (#116) (thanks @mkrokosz).
- VT fallback: activate only VT-pending hidden skills when scans are unavailable/stale; keep quality/scanner-blocked skills hidden (#300) (thanks @superlowburn).
- API: return proper status codes for delete/undelete errors (#35) (thanks @sergical).
- API: for owners, return clearer status/messages for hidden/soft-deleted skills instead of a generic 404.
- Web: allow copying OpenClaw scan summary text (thanks @borisolver, #322).
- HTTP/CORS: add preflight handler + include CORS headers on API/download errors; CLI: include auth token for owner-visible installs/updates (#146) (thanks @Grenghis-Khan).
- CLI: clarify
logoutonly removes the local token; token remains valid until revoked in the web UI (#166) (thanks @aronchick). - CLI: validate skill slugs used for filesystem operations (prevents path traversal) (#241) (thanks @superlowburn).
- Skills: keep global sorting across pagination on
/skills(thanks @CodeBBakGoSu, #98). - Skills: allow updating skill description/summary from frontmatter on subsequent publishes (#312) (thanks @ianalloway).
- Skills/Web: prevent filtered pagination dead-ends and loading-state flicker on
/skills; move highlighted browse filtering into server list query (#339) (thanks @Marvae). - Web: align
/skillstotal count with public visibility and format header count (thanks @rknoche6, #76). - Skills/Web: centralize public visibility checks and keep
globalStatsskill counts in sync incrementally; remove duplicate/skillsdefault-sort fallback and share browse test mocks (thanks @rknoche6, #76). - Moderation: clear stale
flagged.suspiciousflags when VirusTotal rescans improve to clean verdicts (#418) (thanks @Phineas1500). - API tests: lock
Retry-Afterbehavior to relative-delay semantics for v1 search 429s (#421) (thanks @apoorvdarshan). - CLI tests: assert 5xx HTTP responses still perform retry attempts before surfacing final error (#457) (thanks @YonghaoZhao722).
- GitHub import: improve storage/publish failure errors with actionable context; add regression tests for error formatting (#512) (thanks @vassiliylakhonin).
Reconstructed from the clawhub@0.7.0 npm publish timestamp (2026-02-16T05:02:25Z) and the repo version bump commit (e352309).
- Skills/Web: show owner avatars/handles across cards, lists, and detail pages (#312) (thanks @ianalloway).
- Skills/Web: add version file viewer on skill detail pages (#44) (thanks @regenrek).
- CLI: add
uninstallfor installed skills (#241) (thanks @superlowburn). - Skills/Web: add non-suspicious browse filter, downloads-first browse defaults, and popular non-suspicious homepage sections.
- Web: compact-format skill and soul stats, plus split page models for skills/detail rendering.
- Skills: auto-generate missing summaries and add a resumable/self-scheduling summary backfill job.
- Moderation/Admin: add anti-spam publish caps, trust-tier quality checks, empty-skill cleanup tooling, and stronger moderator UX.
- HTTP/CLI: centralize CORS handling and allow tokenized owner-visible reads through the CLI (#296, #297).
- API performance: batch resolve tags in v1 list/get flows to cut action-to-query round-trips (#112) (thanks @mkrokosz).
- Quality gate: add language-aware word counting and tighten spam/quarantine handling around publish flows.
- Skills/Web: fix initial sort wiring, keep global ordering across pagination, prevent pagination dead-ends/flicker, and harden cursor recovery (#92, #98, #339).
- CLI: normalize abort/timeout errors, secure config-file permissions, clarify logout semantics, and prefer
$HOMEfor path resolution (#164, #166, #283, #286, #299). - API: return correct delete/undelete status codes and clearer soft-delete/owner-visible error responses (#35) (thanks @sergical).
- Upload/Auth: gate publish ownership by immutable GitHub account ID and handle duplicate auth-user records safely.
- Downloads/Search: harden download dedupe/rate limiting, improve SSR host awareness, and fix homepage/search regressions under legacy data.
- Security: add LLM-based security evaluation during skill publish.
- Parsing: recognize
metadata.openclawfrontmatter and evaluate all skill files for requirements.
- Performance: lazy-load Monaco diff viewer on demand (thanks @alexjcm, #212).
- Search: improve recall/ranking with lexical fallback and relevance prioritization.
- Moderation UX: collapse OpenClaw analysis by default; update spacing and default reasoning model.
- Skills: fix initial
/skillssort wiring so first page respects selected sort/direction (thanks @bpk9, #92). - Search/UI: add embedding request timeout and align
/skillstoolbar + list width (thanks @GhadiSaab, #53). - Upload gate: handle GitHub API rate limits and optional authenticated lookup token (thanks @superlowburn, #246).
- HTTP: remove
allowH2from Undici agent to preventfetch failedon Node.js 22+ (#245). - Tests: add root
undicidev dependency for Node E2E imports (thanks @tanujbhaud, #255). - Downloads: add download rate limiting + per-IP/day dedupe + scheduled dedupe pruning; preserve moderation gating and deterministic zips (thanks @regenrek, #43).
- VirusTotal: fix scan sync race conditions and retry behavior in scan/backfill paths.
- Metadata: tolerate trailing commas in JSON metadata.
- Auth: allow soft-deleted users to re-authenticate on fresh login, while keeping banned users blocked (thanks @tanujbhaud, #177).
- Web: prevent horizontal overflow from long code blocks in skill pages (thanks @bewithgaurav, #183).
- CLI/API: add
set-roleto change user roles (admin only). - Security: quarantine skill publishes with VirusTotal scans + UI (thanks @aleph8, #130).
- Testing: add tests for badges, skillZip, uploadFiles expandDroppedItems, and ark schema error truncation.
- Moderation: add ban reasons to API/CLI and show in management UI.
- Coverage: track
convex/lib/skillZip.tsin coverage reports.
- Web: show pending-scan skills to owners without 404 (thanks @orlyjamie, #136).
- Users: backfill empty handles from name/email in ensure (thanks @adlai88, #158).
- Web: update footer branding to OpenClaw (thanks @jontsai, #122).
- Auth: restore soft-deleted users on reauth, block banned users (thanks @mkrokosz, #106).
- Admin: ban users and delete owned skills from management console.
- Moderation: auto-hide skills after 4 unique reports; per-user report cap; moderators can ban users.
- Uploads: require GitHub accounts to be at least 7 days old for skill + soul publish/import.
- CLI: add
inspectto fetch skill metadata/files without installing. - CLI: add moderation commands for hide/unhide/delete and ban users.
- Management: add filters for reported skills and users.
- Deps: update dependencies to latest available versions.
- Reporting: require reasons, show them in management console, warn about abuse bans.
- Bans: batch hard-delete cleanup to avoid Convex read limits on large skills.
- Web: show published skills on user profiles (thanks @njoylab, #20).
- CLI: include ClawHub + Moltbot fallback skill roots for sync scans.
- CLI: support OpenClaw configuration files (
OPENCLAW_CONFIG_PATH/OPENCLAW_STATE_DIR).
- Brand: rebrand to ClawHub and publish CLI as
clawhub(legacyclawdhubsupported). - Domain: default site/registry now
https://clawhub.ai;.well-known/clawhub.jsonpreferred. - Theme: persist theme under
clawhub-theme(legacy key still read).
- Registry: drop missing skills during search hydration (thanks @aaronn, #28).
- CLI: use path-based skill metadata lookup for updates (thanks @daveonkels, #22).
- Search: keep highlighted-only filtering and clamp vector candidates to Convex limits (thanks @aaronn, #30).
- CLI: add
explorecommand for latest updates, with limit clamping + tests/docs (thanks @jdrhyne, #14). - CLI:
explore --jsonoutput + new sorts (installs,installsAllTime,trending) and limit up to 200. - API:
/api/v1/skillssupports installs + trending sorts (7-day installs). - API: idempotent
POST/DELETE /api/v1/stars/{slug}endpoints. - Registry: trending leaderboard + daily stats backfill for installs-based sorts.
- Web: keep search mode navigation and state in sync (thanks @NACC96, #12).
- Web: dynamic OG image cards for skills (name, description, version).
- CLI: auto-scan Clawdbot skill roots (per-agent workspaces, shared skills, extraDirs).
- Web: import skills from public GitHub URLs (auto-detect
SKILL.md, smart file selection, provenance). - Web/API: SoulHub (SOUL.md registry) with v1 endpoints and first-run auto-seed.
- Web: stabilize skill OG image generation on server runtimes.
- Web: prevent skill OG text overflow outside the card.
- Registry: make SoulHub auto-seed idempotent and non-user-owned.
- Registry: keep GitHub backup state + publish backups intact (thanks @joshp123, #1).
- CLI/Registry: restore fork lineage on sync + clamp bulk list queries (thanks @joshp123, #1).
- CLI: default workdir falls back to Clawdbot workspace (override with
--workdir/CLAWHUB_WORKDIR).
- API: v1 public REST endpoints with rate limits, raw file fetch, and OpenAPI spec.
- Docs:
docs/api.mdandDEPRECATIONS.mdfor the v1 cutover plan.
- CLI: publish now uses single multipart
POST /api/v1/skills. - Registry: legacy
/api/*+/api/cli/*marked for deprecation (kept for now).
- Telemetry: track installs via
clawhub sync(logged-in only), per root, with 120-day staleness. - Skills: show current + all-time installs; sort by installs.
- Profile: private "Installed" tab with JSON export + delete telemetry controls.
- Docs: add
docs/telemetry.md(what we track + how to opt out). - Web: custom Open Graph image (
/og.png) + richer OG/Twitter tags. - Web: dashboard for managing your published skills (thanks @dbhurley!).
- CLI: telemetry opt-out via
CLAWHUB_DISABLE_TELEMETRY=1. - Web: move theme picker into mobile menu.
- Web: handle shorthand hex colors in diff theme (thanks @dbhurley!).
- Maintenance: admin backfill to re-parse
SKILL.mdand repair stored summaries/parsed metadata.
- CLI sync: ignore plural
skills.mddocs files when scanning for skills. - Registry: parse YAML frontmatter (incl multiline
description) and accept YAMLmetadataobjects.
- Web:
/skillslist view with sorting (newest/downloads/stars/name) + quick filter. - Web: admin/moderator highlight toggle on skill detail.
- Web: canonical skill URLs as
/<owner>/<slug>(legacy/skills/<slug>redirects). - Web: upload auto-generates a changelog via OpenAI when left blank (marked as auto-generated).
- Web: skill detail shows a loading state instead of flashing "Skill not found".
- Web: user profile shows avatar + loading state (no "User not found" flash).
- Web: improved mobile responsiveness (nav menu, skill detail layout, install command overflow).
- Web: upload now unwraps folder picks so
SKILL.mdcan be at the bundle root. - Registry: cap embedding payload size to avoid model context errors.
- CLI: ignore legacy
auth.clawdhub.comregistry and prefer site discovery.
- Web: homepage search now expands into full search mode with live results + highlighted toggle.
- CLI: sync no longer prompts for changelog; registry auto-generates when blank.
- CLI sync: concurrency flag to limit registry checks.
- Home: install command switcher (npm/pnpm/bun).
- CLI sync: default
--concurrencyis now 4 (was 8). - CLI sync: replace boxed notes with plain output for long lists.
- CLI sync: wrap note output to avoid terminal overflow; cap list lengths.
- CLI sync: label fallback scans as fallback locations.
- CLI package: bundle schema internally (no external
clawhub-schemapublish). - Repo: mark
clawhub-schemaas private to prevent publishing.
- CLI: delete/undelete commands for soft-deleted skills (owner/admin).
- CLI sync: dedupe duplicate slugs across scan roots; skip duplicates to avoid double-publish errors.
- CLI sync: show parsing progress while hashing local skills.
- CLI sync: prompt only actionable skills; preselect all by default; list synced separately; condensed synced summary when nothing to sync.
- CLI sync: cap long status lists to avoid massive terminal boxes.
- CLI publish/sync: allow empty changelog on updates; registry accepts empty changelog for updates.
- CLI: use
--cli-versionto avoid conflict with skill--versionflags. - Registry: hide soft-deleted skills from search/skill/download unless restored.
- Tests: add delete/undelete coverage (unit + e2e).
- CLI auth: login/logout/whoami; browser loopback auth; token storage; site/registry discovery; config overrides.
- CLI workflow: search, install, update (single/all), list, publish, sync (scan workdir + legacy roots), dry-run, version bumping, tags.
- Registry/API: skills + versions with semver; tags (latest + custom); changelog per version; SKILL.md frontmatter parsing; text-only validation; zip download; hash resolve; stats (downloads/stars/versions/comments).
- Web app: home (highlighted + latest), search, skill detail (README, versions, tags, stats, files), upload UI, user profiles, stars, settings (profile + API tokens + delete account).
- Social: stars + comments with moderation hooks; admin console for roles + highlighted curation.
- Search: semantic/vector search over skill content with limit/approved filters.
- Security: GitHub OAuth; role-based access (admin/moderator/user); audit logging for admin actions.