Back to plugin

Security audit

Deck

Security checks across malware telemetry and agentic risk

Overview

The package is a disclosed ClawHub CLI/admin/developer toolkit with powerful authenticated operations, but I found no hidden, automatic, or purpose-mismatched unsafe behavior.

Install the public CLI only if you expect it to contact ClawHub, store a local API token after login, write skill files under your configured skills directory, and optionally report install telemetry while logged in. Treat the private admin and staff skills as operator tooling: use them only with the right ClawHub role and review confirmations before moderation, email, migration, or publishing actions.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:4232
Evidence
function resolveOpenCommand(url2, env = process.env, platform = process.platform) {