> ## Documentation Index
> Fetch the complete documentation index at: https://docs.agentpowers.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# External Skills (ClawHub and More)

> How AgentPowers integrates external skill registries with full security scanning

## Overview

AgentPowers aggregates skills from external registries alongside its own native catalog. When you search, you see two sections: **AgentPowers** skills first, then skills from each external source (starting with **ClawHub**).

External skills are free, open-source skills hosted on their original registry. AgentPowers proxies the search, handles installation, and runs its full security pipeline before any external skill reaches your machine.

## How It Works

### Searching

When you search for a skill, AgentPowers queries its own database and all registered external sources in parallel. Results come back in clearly labeled, sectioned format:

```bash theme={null}
ap search "postgres backup"
```

The API returns a sectioned response:

```json theme={null}
{
  "agentpowers": {
    "items": [...],
    "total": 1,
    "limit": 20,
    "offset": 0
  },
  "clawhub": {
    "items": [
      {
        "slug": "postgres-backup",
        "title": "Postgres Backup",
        "source": "clawhub",
        "source_url": "https://clawhub.ai/owner/postgres-backup",
        "source_installs": 234,
        "source_downloads": 234,
        "source_stars": 47,
        "source_comments": 3,
        "ap_security_status": "pass",
        "version": "1.2.0"
      }
    ],
    "total": 1
  }
}
```

The CLI renders this as a unified table with Source, Type, Price, and Security columns. Install counts and star ratings are shown inline in the title.

* **pass/warn** -- AgentPowers has scanned this skill version before
* **unscanned** -- No one has installed this version through AgentPowers yet; it will be scanned on first install

### Installing

External skills go through a sandboxed install + security scan flow:

1. The CLI downloads the skill into a temporary sandbox directory
2. AgentPowers checks if this exact version has been scanned before
3. **Cache hit** -- the cached security result is returned instantly
4. **Cache miss** -- the full security pipeline runs (static validation, malware detection, AI review, agent checks), then caches the result
5. **Pass or warn** -- files move to `~/.claude/skills/` and a version pin is recorded
6. **Block** -- findings are displayed and the skill is not installed

### Version Pinning

Every installed skill is pinned by its content. This protects against supply chain attacks:

* If an author re-uploads a skill (files change), the pin detects the mismatch
* On update, AgentPowers re-scans before applying the new version
* Run `ap verify` to check all installed skills against their recorded pins

### Updating

External skills support the same update flow as native skills:

```bash theme={null}
ap update ontology           # Update a single external skill
ap update                    # Check all installed skills (native + external)
```

When a newer version is available, the update command:

1. Fetches the latest version from the external source
2. Compares the installed version against the latest
3. Re-runs the full sandboxed install flow (download, scan, install)
4. Updates the pin with the new version

**Edit detection works the same way.** If you've modified the installed files, `ap update` detects the change and prompts before overwriting. Use `--force` to bypass the prompt.

**Missing version info.** Some external skills are pinned without version information (e.g., when the original install didn't report a version). In this case, `ap update` treats the skill as up-to-date if it hasn't been locally edited, avoiding unnecessary re-downloads.

## Security

External skills receive the same security treatment as native AgentPowers skills:

| Check                 | Description                                                |
| --------------------- | ---------------------------------------------------------- |
| Static validation     | File type checks, dangerous pattern scanning               |
| Malware detection     | ClamAV signatures and VirusTotal multi-engine scan         |
| Dependency scan       | Snyk CVE detection for known vulnerabilities               |
| Supply chain analysis | GuardDog (Python) and Socket.dev (npm)                     |
| AI security review    | Semantic analysis for injection, auth flaws, data exposure |
| Agent-specific checks | Tool audit, instruction analysis, trust scoring            |

The only difference: native skills are scanned at publish time. External skills are scanned at install time (and cached for subsequent users).

## Supported Sources

| Source      | Status  | Skills                              |
| ----------- | ------- | ----------------------------------- |
| **ClawHub** | Active  | Community skills for Claude Code    |
| More coming | Planned | Additional registries in the future |

## For Developers

### API

**Search Results**

```bash theme={null}
GET /v1/search?q=postgres&type=skill
```

Returns a sectioned response with `agentpowers` and `clawhub` keys. External items include:

* `source` -- "clawhub", etc.
* `source_url` -- Link to the original registry entry
* `source_installs` -- Download count from the original source
* `source_downloads` -- Same as `source_installs` (full detail)
* `source_stars` -- Star/rating count
* `source_comments` -- Comment count
* `ap_security_status` -- AgentPowers scan result ("pass", "warn", or null if unscanned)

**Unified Detail**

Get full details for any skill regardless of source:

```bash theme={null}
GET /v1/detail/{slug}?source=clawhub
```

Returns author info, version, stats, description, and AgentPowers security status.

**Security Results**

View the security scan results for any skill:

```bash theme={null}
GET /v1/security/results/{slug}
```

Returns the scan outcome (pass/warn/block) with findings.

### CLI

The `ap install` command automatically detects external skills by their `source` field and routes through the sandbox + scan flow. Use `--source` to specify explicitly:

```bash theme={null}
ap install ontology --source clawhub
```

**Preview before installing** -- Use `ap detail --scan` to run the full security pipeline without installing:

```bash theme={null}
ap detail ontology --scan --source clawhub
```

This downloads to a temporary sandbox, scans, displays per-finding result cards, and cleans up. Nothing is installed.

**Verify integrity** -- The `ap verify` command checks all installed skills against their recorded pins:

```bash theme={null}
ap verify
```

## Need Help?

<CardGroup cols={2}>
  <Card title="Email Support" icon="envelope" href="mailto:support@agentpowers.ai">
    Reach us at **[support@agentpowers.ai](mailto:support@agentpowers.ai)** for account issues, billing questions, or technical help.
  </Card>

  <Card title="Discord Community" icon="discord" href="https://discord.gg/ECAzvrvHA">
    Join the **AgentPowers Discord** to get help from the team and other creators in real time.
  </Card>
</CardGroup>
