---
summary: "CLI reference: commands, flags, config, lockfile, sync behavior."
read_when:
- Working on CLI behavior
- Debugging install/update/sync
---
# CLI
CLI package: `packages/clawhub/` (published as `clawhub`, bin: `clawhub`).
From this repo you can run it via the wrapper script:
```bash
bun clawhub --help
```
## Global flags
- `--workdir
`: working directory (default: cwd; falls back to Clawdbot workspace if configured)
- `--dir `: install dir under workdir (default: `skills`)
- `--site `: base URL for browser login (default: `https://clawhub.ai`)
- `--registry `: API base URL (default: discovered, else `https://clawhub.ai`)
- `--no-input`: disable prompts
Env equivalents:
- `CLAWHUB_SITE` (legacy `CLAWDHUB_SITE`)
- `CLAWHUB_REGISTRY` (legacy `CLAWDHUB_REGISTRY`)
- `CLAWHUB_WORKDIR` (legacy `CLAWDHUB_WORKDIR`)
### HTTP proxy
The CLI respects standard HTTP proxy environment variables for systems behind
corporate proxies or restricted networks:
- `HTTPS_PROXY` / `https_proxy`
- `HTTP_PROXY` / `http_proxy`
- `NO_PROXY` / `no_proxy`
When any of these variables is set, the CLI routes outbound requests through
the specified proxy. `HTTPS_PROXY` is used for HTTPS requests, `HTTP_PROXY`
for plain HTTP. `NO_PROXY` / `no_proxy` is respected to bypass the proxy for
specific hosts or domains.
This is required on systems where direct outbound connections are blocked
(e.g. Docker containers, Hetzner VPS with proxy-only internet, corporate
firewalls).
Example:
```bash
export HTTPS_PROXY=http://proxy.example.com:3128
export NO_PROXY=localhost,127.0.0.1
clawhub search "my query"
```
When no proxy variable is set, behavior is unchanged (direct connections).
## Config file
Stores your API token + cached registry URL.
- macOS: `~/Library/Application Support/clawhub/config.json`
- override: `CLAWHUB_CONFIG_PATH` (legacy `CLAWDHUB_CONFIG_PATH`)
## Commands
### `login` / `auth login`
- Default: opens browser to `/cli/auth` and completes via loopback callback.
- Headless: `clawhub login --token clh_...`
### `whoami`
- Verifies the stored token via `/api/v1/whoami`.
### `star ` / `unstar `
- Adds/removes a skill from your highlights.
- Calls `POST /api/v1/stars/` and `DELETE /api/v1/stars/`.
- `--yes` skips confirmation.
### `search `
- Calls `/api/v1/search?q=...`.
### `explore`
- Lists latest updated skills via `/api/v1/skills?limit=...` (sorted by `updatedAt` desc).
- Flags:
- `--limit ` (1-200, default: 25)
- `--sort newest|downloads|rating|installs|installsAllTime|trending` (default: newest)
- `--json` (machine-readable output)
- Output: ` v` (summary truncated to 50 chars).
### `inspect `
- Fetches skill metadata and version files without installing.
- `--version `: inspect a specific version (default: latest).
- `--tag `: inspect a tagged version (e.g. `latest`).
- `--versions`: list version history (first page).
- `--limit `: max versions to list (1-200).
- `--files`: list files for the selected version.
- `--file `: fetch raw file content (text files only; 200KB limit).
- `--json`: machine-readable output.
### `install `
- Resolves latest version via `/api/v1/skills/`.
- Downloads zip via `/api/v1/download`.
- Extracts into `//`.
- Writes:
- `/.clawhub/lock.json` (legacy `.clawdhub`)
- `/.clawhub/origin.json` (legacy `.clawdhub`)
### `uninstall `
- Removes `//` and deletes the lockfile entry.
- Interactive: asks for confirmation.
- Non-interactive (`--no-input`): requires `--yes`.
### `list`
- Reads `/.clawhub/lock.json` (legacy `.clawdhub`).
### `update [slug]` / `update --all`
- Computes fingerprint from local files.
- If fingerprint matches a known version: no prompt.
- If fingerprint does not match:
- refuses by default
- overwrites with `--force` (or prompt, if interactive)
### `skill publish `
- Publishes via `POST /api/v1/skills` (multipart).
- Requires semver: `--version 1.2.3`.
- Publishing a skill means it is released under `MIT-0` on ClawHub.
- Published skills are free to use, modify, and redistribute without attribution.
- Legacy alias: `publish `.
### `delete `
- Soft-delete a skill (owner, moderator, or admin).
- Calls `DELETE /api/v1/skills/{slug}`.
- `--yes` skips confirmation.
### `undelete `
- Restore a hidden skill (owner, moderator, or admin).
- Calls `POST /api/v1/skills/{slug}/undelete`.
- `--yes` skips confirmation.
### `hide `
- Hide a skill (owner, moderator, or admin).
- Alias for `delete`.
### `unhide `
- Unhide a skill (owner, moderator, or admin).
- Alias for `undelete`.
### `skill rename `
- Rename an owned skill and keep the previous slug as a redirect alias.
- Calls `POST /api/v1/skills/{slug}/rename`.
- `--yes` skips confirmation.
### `skill merge `
- Merge one owned skill into another owned skill.
- The source slug stops listing publicly and becomes a redirect alias to the target.
- Calls `POST /api/v1/skills/{sourceSlug}/merge`.
- `--yes` skips confirmation.
### `transfer`
- Ownership transfer workflow.
- Subcommands:
- `transfer request [--message "..."] [--yes]`
- `transfer list [--outgoing]`
- `transfer accept [--yes]`
- `transfer reject [--yes]`
- `transfer cancel [--yes]`
- Endpoints:
- `POST /api/v1/skills/{slug}/transfer`
- `POST /api/v1/skills/{slug}/transfer/accept`
- `POST /api/v1/skills/{slug}/transfer/reject`
- `POST /api/v1/skills/{slug}/transfer/cancel`
- `GET /api/v1/transfers/incoming`
- `GET /api/v1/transfers/outgoing`
### `ban-user `
- Ban a user and delete owned skills (moderator/admin only).
- Calls `POST /api/v1/users/ban`.
- `--id` treats the argument as a user id instead of a handle.
- `--fuzzy` resolves the handle via fuzzy user search (admin only).
- `--reason` records an optional ban reason.
- `--yes` skips confirmation.
### `set-role `
- Change a user role (admin only).
- Calls `POST /api/v1/users/role`.
- `--id` treats the argument as a user id instead of a handle.
- `--fuzzy` resolves the handle via fuzzy user search (admin only).
- `--yes` skips confirmation.
### `package publish `
- Publishes a code plugin or bundle plugin via `POST /api/v1/packages`.
- `` accepts:
- Local folder path: `./my-plugin`
- GitHub repo: `owner/repo` or `owner/repo@ref`
- GitHub URL: `https://github.com/owner/repo`
- Metadata is auto-detected from `package.json`, `openclaw.plugin.json`, and `openclaw.bundle.json`.
- For GitHub sources, source attribution is auto-populated from the repo, resolved commit, ref, and subpath.
- For local folders, source attribution is auto-detected from local git when the origin remote points at GitHub.
- External code plugins must declare `openclaw.compat.pluginApi` and `openclaw.build.openclawVersion` explicitly.
Top-level `package.json.version` is not used as a fallback for publish validation.
- `--dry-run` previews the resolved publish payload without uploading.
- `--json` emits machine-readable output for CI.
- `--owner ` lets admins publish under a shared owner account while keeping their own token as the actor.
- Existing flags (`--family`, `--name`, `--version`, `--source-repo`, `--source-commit`, `--source-ref`, `--source-path`) still work as overrides.
- Private GitHub repos require `GITHUB_TOKEN`.
#### GitHub Actions
ClawHub also ships an official reusable workflow at
[`/.github/workflows/package-publish.yml`](../.github/workflows/package-publish.yml)
for plugin repos.
Typical caller setup:
```yaml
name: Package Publish
on:
pull_request:
workflow_dispatch:
push:
tags:
- "v*"
jobs:
dry-run:
if: github.event_name == 'pull_request'
uses: openclaw/clawhub/.github/workflows/package-publish.yml@main
with:
dry_run: true
publish:
if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/')
permissions:
contents: read
id-token: write
uses: openclaw/clawhub/.github/workflows/package-publish.yml@main
with:
dry_run: false
secrets:
clawhub_token: ${{ secrets.CLAWHUB_TOKEN }}
```
Notes:
- The reusable workflow defaults `source` to the caller repo.
- `pull_request` should use `dry_run: true` so CI stays non-polluting.
- Real publishes should be limited to trusted events such as `workflow_dispatch` or tag pushes.
- Trusted publishing without a secret only works on `workflow_dispatch`; tag pushes still need `clawhub_token`.
- Keep `clawhub_token` available for first publish, untrusted packages, or break-glass publishes.
- The workflow uploads the JSON result as an artifact and exposes it as workflow outputs.
### `sync`
- Scans for local skill folders and publishes new/changed ones.
- Roots can be any folder: a skills directory or a single skill folder with `SKILL.md`.
- Auto-adds Clawdbot skill roots when `~/.clawdbot/clawdbot.json` is present:
- `agent.workspace/skills` (main agent)
- `routing.agents.*.workspace/skills` (per-agent)
- `~/.clawdbot/skills` (shared)
- `skills.load.extraDirs` (shared packs)
- Respects `CLAWDBOT_CONFIG_PATH` / `CLAWDBOT_STATE_DIR` and `OPENCLAW_CONFIG_PATH` / `OPENCLAW_STATE_DIR`.
- Flags:
- `--root ` extra scan roots
- `--all` upload without prompting
- `--dry-run` show plan only
- `--bump patch|minor|major` (default: patch)
- `--changelog ` (non-interactive)
- `--tags a,b,c` (default: latest)
- `--concurrency ` (default: 4)
Telemetry:
- Sent during `sync` when logged in, unless `CLAWHUB_DISABLE_TELEMETRY=1` (legacy `CLAWDHUB_DISABLE_TELEMETRY=1`).
- Details: `docs/telemetry.md`.