5 OpenClaw Skills That Turn Your Agent From a Chatbot Into a Worker
A fresh OpenClaw install can talk. It can answer questions. It can write code in a chat window.
What it cannot do: check your CI, search the web, send an email, update a spreadsheet, or click a button on a website.
That's 90% of actual work.
The model is smart. But smart without tools is just a chatbot. You need to give it hands. This guide covers the 5 skills that do that.
Table of contents
- The 5 Gaps
- Skill 1: github
- Skill 2: tavily-search
- Skill 3: agentmail
- Skill 4: gog
- Skill 5: agent-browser
- A Note on Prompt Injection
The 5 Gaps
Every useful agent needs 5 things. Each skill fills exactly one gap.
| Gap | Skill | What it does | ClawHub downloads |
|---|---|---|---|
| Knowledge input | tavily-search | Structured web search with source URLs | ~19k |
| Code and CI execution | github | Operate GitHub via the gh CLI | ~20k |
| Persistent state | gog | Read/write Google Sheets, Docs, Calendar, Gmail | ~14k |
| External communication | agentmail | Agent-owned email inbox with webhooks | Community-driven |
| Browser access | agent-browser | Fast, Rust-based headless browser CLI | ~95k |
Download numbers are from ClawHub as of February 2026. They're community signals, not quality scores.
Now let's walk through each one.
1. github: Your CI On-Call Partner
Source: clawhub.ai/steipete/github
This skill teaches your agent to operate GitHub through the gh CLI. Pull request status. Workflow runs. Failed logs. Issue lists. Custom API queries.
The highest-value use case: CI triage. Your agent can check what failed, pull the logs, and produce a checklist of what to fix. You still decide what to do. The agent does the reading.
Here are the 4 commands that cover 80% of the work:
gh pr checks <PR_NUMBER>
gh run list --limit 10
gh run view <RUN_ID> --log-failed
gh issue list --limit 20 --json number,title,state,url
The risk: your GitHub token. If the scope is too broad, the agent can merge PRs, delete branches, or leak private code into other tools.
The fix: create a bot account with read-only scopes. Let the agent read CI and issues. Add write permissions only after the workflow is stable and you trust the output.
2. tavily-search: Research With Receipts
Source: clawhub.ai/arun-8687/tavily-search
When your agent needs to look something up, you have two options. Let the model guess from training data. Or give it a real search tool that returns sources.
tavily-search does the second one. It wraps Tavily's Search and Extract APIs. The pattern is simple: search broadly, then extract the few pages worth citing.
# Step 1: Search
node ./search.mjs --query "..." -n 8
# Step 2: Extract the best hits
node ./extract.mjs --urls "https://..." --format markdown
The output includes URLs, so you can verify. The agent gets fresh data instead of stale training knowledge. And you get a trail of sources you can check.
The risk: your search queries go to a third-party API. Don't search for internal URLs, credentials, or proprietary terms. Stick to public information.
The fix: start with shallow searches. Only use deep/advanced mode when you genuinely need it. Set a monthly API budget so cost doesn't creep up silently.
3. agentmail: Give the Agent Its Own Inbox
Source: clawhub.ai/adboio/agentmail
Here's a real problem. You want your agent to sign up for services, receive verification codes, or send weekly reports. But if you hand it your personal Gmail, two things happen:
- Google may flag automated access and lock your account.
- Anyone who emails you now has a direct line to manipulate your agent.
AgentMail solves this by giving the agent its own email address. Dedicated inbox. API-driven send/receive. Webhooks for automation triggers.
The risk: inbound email is the biggest prompt injection surface in any agent setup. Anyone can send your agent an email with hidden instructions. That's a real attack vector, not a theoretical one.
The fix: roll it out in two phases.
Phase 1 (start here): the agent writes draft replies. You review and click send. Allowlist the senders you trust. Quarantine everything else.
Phase 2 (once stable): enable inbound webhooks that feed a review queue. Only approved messages reach your main workflow. Never auto-execute attachments.
4. gog: Google Workspace as a Backend
Source: clawhub.ai/steipete/gog
Most agents have a memory problem. They can do work, but they can't store work. Everything lives in the conversation and disappears when the session ends.
gog fixes that by connecting your agent to Google Workspace. Sheets become a lightweight database. Docs become an audit log. Calendar becomes a scheduling interface.
Here's what the commands look like:
gog gmail search 'newer_than:7d' --max 10
gog sheets append <sheetId> "Tab!A:C" --values-json '[["x","y","z"]]' --insert INSERT_ROWS
gog docs export <docId> --format txt --out /tmp/doc.txt
The risk: OAuth setup is painful. Expect 30 to 60 minutes for initial configuration. Token refresh breaks are a common complaint. And the skill can do irreversible things: send emails, create calendar events, overwrite cells.
The fix: use a dedicated Google Workspace account (not your personal one). Restrict the agent to a single Drive folder and specific Sheet/Doc IDs. Default to "draft first, send on approval."
5. agent-browser: When There's No API
Source: clawhub.ai/TheSethRose/agent-browser
Some tools don't have APIs. Some dashboards require clicking through a UI. When that's the case, you need browser automation.
agent-browser is a Rust-based headless browser CLI built by Vercel Labs. It's fast, lightweight, and designed specifically for agents. With ~95k ClawHub downloads, it's the most popular skill on this list. It ships in the default OpenClaw application template.
The interaction model is clean:
# Open a page
agent-browser open https://example.com
# Snapshot interactive elements (returns refs like @e1, @e2)
agent-browser snapshot -i
# Interact using those refs
agent-browser click @e1
agent-browser fill @e2 "search query"
# Take a screenshot as evidence
agent-browser screenshot --full-page
You navigate, snapshot the page, get stable element references, and interact with them. Each action is a single CLI call. Output is structured JSON. Sessions can be isolated with a --session flag for parallel agent runs.
ClawHub rates this skill as "Benign" with high confidence. It's an instruction wrapper around the CLI, no unrelated credentials or system access requested.
The risk: any browser automation tool can leak cookies, capture sensitive pages, or perform irreversible UI actions (purchases, deletes, form submissions).
The fix: use a clean browser profile. Start by observing: navigate, screenshot, extract data. Don't automate form submissions or logins until you've verified the workflow manually. Run it in a container or sandbox if you can.
A Note on Prompt Injection
One thing applies to every skill on this list: treat inbound data as untrusted.
Emails, web pages, and API responses can all contain hidden instructions that try to hijack your agent. This is called prompt injection. It's a real operational risk. Researchers have found 820+ malicious ClawHub skills and documented sandbox escape vulnerabilities.
Allowlist senders. Don't auto-execute content from unknown sources. If your agent reads something from the outside world, assume someone put something in there to mess with it.
Further reading: