Skills

    Skills extend Wingman with reusable workflows. Wingman can browse and install skills from GitHub or ClawHub.

    Commands

    wingman skill browse
wingman skill install pdf
wingman skill list
wingman skill remove pdf

    Configuration

    {
  "skills": {
    "provider": "hybrid",
    "repositories": [
      { "owner": "RussellCanfield", "name": "wingman-ai" },
      { "owner": "your-org", "name": "your-skills-repo" }
    ],
    "repositoryOwner": "legacy-owner",
    "repositoryName": "legacy-repo",
    "githubToken": "optional-token",
    "clawhubBaseUrl": "https://clawhub.ai",
    "skillsDirectory": "skills",
    "security": {
      "scanOnInstall": true,
      "scannerCommand": "uvx",
      "scannerArgs": ["--from", "mcp-scan>=0.4,<0.5", "mcp-scan", "--json", "--skills"],
      "blockIssueCodes": ["MCP501", "MCP506", "MCP507", "MCP508", "MCP509", "MCP510", "MCP511"]
    }
  }
}

    Provider notes:

    • provider: "hybrid" (default) combines ClawHub + GitHub. GitHub entries override same-name skills from ClawHub.
    • provider: "github" requires repositories (preferred) or the legacy repositoryOwner + repositoryName fallback.
    • provider: "clawhub" uses clawhubBaseUrl.
    • GITHUB_TOKEN is still supported for GitHub API rate limits.
    • When multiple GitHub repos define the same skill name, later entries in repositories win.

    Security scan notes:

    • Skill installs are staged, validated, scanned, and only then copied into the active skills directory.
    • Default scanner execution uses uvx + mcp-scan.
    • Wingman checks for uv only when skills.security.scanOnInstall is enabled and the scanner command is uv/uvx.
    • Set "scanOnInstall": false to disable scanning for wingman skill install.
    • If uv is missing while scan is enabled, install fails with an error (no interactive prompt).

    Skill metadata activation

    Wingman supports dependency metadata under exactly two keys:

    • metadata.wingman
    • metadata.openclaw

    If a skill declares requires.bins, Wingman activates that skill only when the binaries are present on PATH.

    Install recipes (metadata.<namespace>.install) are not executed on agent load. They are only offered during wingman skill install.

    Where skills live

    Installed skills are placed in .wingman/skills/ (or the directory you configure). Each skill includes a SKILL.md with metadata and instructions.