Security Audits
ClawHub security audits help you decide whether a skill or plugin is safe enough to install. They show what a release does, what authority it asks for, and whether anything deserves extra attention before it can access files, accounts, credentials, code, or external services. Audits are strong safety signals, but they are not a guarantee that a release is risk-free. Always use judgment before granting sensitive access. See also Security, Acceptable usage, and Moderation and Account Safety.What to check before installing
Before installing, review:- the overall audit status
- the risk level
- any listed findings
- required credentials, permissions, or environment variables
- owner, source, version, changelog, downloads, stars, and other trust signals
Audit status
Audit status tells you how to react to the audit result:
A
Pass is reassuring, but it does not replace your own judgment. This matters
most for tools that can publish content, edit data, run commands, read files, or
access production systems.
Risk level
Risk level describes blast radius: how much power the release appears to have if you use it as intended.
Risk level and audit status answer different questions:
- Risk level asks: “How much power is here?”
- Audit status asks: “What should I do with this result?”
Review with Medium risk. That does
not mean it is malicious. It means the skill appears purpose-aligned, but can
act with meaningful account authority.
Findings
Findings explain why an audit result was shown. Each finding usually includes:- what it means
- why it was flagged
- the relevant skill or plugin content
- a recommendation
Info, Low, Medium, High, or Critical. Higher
severity findings contribute more strongly to risk level and audit status.
Low-confidence findings are hidden from the public audit rollup so the page
stays focused on useful evidence.
What ClawHub checks
ClawHub audits submitted release artifacts, including:- skill instructions or plugin metadata
- declared environment variables and permissions
- install instructions and package metadata
- included files and file manifests
- compatibility and capability metadata
- SkillSpector
- VirusTotal
- Risk analysis