Skip to main content

Overview

AgentPowers aggregates skills from external registries alongside its own native catalog. When you search, you see two sections: AgentPowers skills first, then skills from each external source (starting with ClawHub). External skills are free, open-source skills hosted on their original registry. AgentPowers proxies the search, handles installation, and runs its full security pipeline before any external skill reaches your machine.

How It Works

Searching

When you search for a skill, AgentPowers queries its own database and all registered external sources in parallel. Results come back in clearly labeled, sectioned format: 
ap search "postgres backup"
The API returns a sectioned response: 
{
  "agentpowers": {
    "items": [...],
    "total": 1,
    "limit": 20,
    "offset": 0
  },
  "clawhub": {
    "items": [
      {
        "slug": "postgres-backup",
        "title": "Postgres Backup",
        "source": "clawhub",
        "source_url": "https://clawhub.ai/owner/postgres-backup",
        "source_installs": 234,
        "source_downloads": 234,
        "source_stars": 47,
        "source_comments": 3,
        "ap_security_status": "pass",
        "version": "1.2.0"
      }
    ],
    "total": 1
  }
}
The CLI renders this as a unified table with Source, Type, Price, and Security columns. Install counts and star ratings are shown inline in the title.
  • pass/warn — AgentPowers has scanned this skill version before
  • unscanned — No one has installed this version through AgentPowers yet; it will be scanned on first install

Installing

External skills go through a sandboxed install + security scan flow:
  1. The CLI downloads the skill into a temporary sandbox directory
  2. AgentPowers checks if this exact version has been scanned before
  3. Cache hit — the cached security result is returned instantly
  4. Cache miss — the full security pipeline runs (static validation, malware detection, AI review, agent checks), then caches the result
  5. Pass or warn — files move to ~/.claude/skills/ and a version pin is recorded
  6. Block — findings are displayed and the skill is not installed

Version Pinning

Every installed skill is pinned by its content. This protects against supply chain attacks:
  • If an author re-uploads a skill (files change), the pin detects the mismatch
  • On update, AgentPowers re-scans before applying the new version
  • Run ap verify to check all installed skills against their recorded pins

Updating

External skills support the same update flow as native skills: 
ap update ontology           # Update a single external skill
ap update                    # Check all installed skills (native + external)
When a newer version is available, the update command:
  1. Fetches the latest version from the external source
  2. Compares the installed version against the latest
  3. Re-runs the full sandboxed install flow (download, scan, install)
  4. Updates the pin with the new version
Edit detection works the same way. If you’ve modified the installed files, ap update detects the change and prompts before overwriting. Use --force to bypass the prompt. Missing version info. Some external skills are pinned without version information (e.g., when the original install didn’t report a version). In this case, ap update treats the skill as up-to-date if it hasn’t been locally edited, avoiding unnecessary re-downloads.

Security

External skills receive the same security treatment as native AgentPowers skills:
CheckDescription
Static validationFile type checks, dangerous pattern scanning
Malware detectionClamAV signatures and VirusTotal multi-engine scan
Dependency scanSnyk CVE detection for known vulnerabilities
Supply chain analysisGuardDog (Python) and Socket.dev (npm)
AI security reviewSemantic analysis for injection, auth flaws, data exposure
Agent-specific checksTool audit, instruction analysis, trust scoring
The only difference: native skills are scanned at publish time. External skills are scanned at install time (and cached for subsequent users).

Supported Sources

SourceStatusSkills
ClawHubActiveCommunity skills for Claude Code
More comingPlannedAdditional registries in the future

For Developers

API

Search Results 
GET /v1/search?q=postgres&type=skill
Returns a sectioned response with agentpowers and clawhub keys. External items include:
  • source — “clawhub”, etc.
  • source_url — Link to the original registry entry
  • source_installs — Download count from the original source
  • source_downloads — Same as source_installs (full detail)
  • source_stars — Star/rating count
  • source_comments — Comment count
  • ap_security_status — AgentPowers scan result (“pass”, “warn”, or null if unscanned)
Unified Detail Get full details for any skill regardless of source: 
GET /v1/detail/{slug}?source=clawhub
Returns author info, version, stats, description, and AgentPowers security status. Security Results View the security scan results for any skill: 
GET /v1/security/results/{slug}
Returns the scan outcome (pass/warn/block) with findings.

CLI

The ap install command automatically detects external skills by their source field and routes through the sandbox + scan flow. Use --source to specify explicitly: 
ap install ontology --source clawhub
Preview before installing — Use ap detail --scan to run the full security pipeline without installing: 
ap detail ontology --scan --source clawhub
This downloads to a temporary sandbox, scans, displays per-finding result cards, and cleans up. Nothing is installed. Verify integrity — The ap verify command checks all installed skills against their recorded pins: 
ap verify

Need Help?

Email Support

Reach us at [email protected] for account issues, billing questions, or technical help.

Discord Community

Join the AgentPowers Discord to get help from the team and other creators in real time.