Clawdhub 1.0.0
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a transparent ClawdHub CLI wrapper, but it documents high-impact commands that can install, publish, and bulk-force update agent skills without interactive prompts.
Install only if you trust the ClawdHub npm CLI and registry. Before allowing this skill to act, confirm each install, update, or publish operation, avoid `--all --no-input --force` unless you intentionally want unattended bulk changes, and prefer pinned versions for important skills.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could replace or modify multiple installed skills at once, changing future behavior without the user reviewing each update.
This documented command can bulk-change installed skills while suppressing interactive prompts and forcing the operation.
clawdhub update --all --no-input --force
Require explicit user confirmation before install, update, publish, `--all`, `--force`, or `--no-input` operations. Prefer pinned versions and review changelogs before applying updates.
Installing the skill means trusting the npm `clawdhub` CLI and the ClawdHub registry to manage local agent skills.
The runnable behavior is delegated to an external npm package. This is expected for a CLI wrapper, but users must trust that package and registry because the package version/source is not pinned in the artifacts.
node | package: clawdhub | creates binaries: clawdhub
Install from a trusted source, consider pinning the CLI version, and verify the npm package and registry before using it to install or update skills.
If used while logged in, the agent may publish or update skill listings under the user's ClawdHub account.
Publishing requires logging into a ClawdHub account. That is purpose-aligned, but it grants the CLI account-scoped publishing authority.
Auth (publish) clawdhub login clawdhub whoami
Log in only when publishing is intended, verify the account with `whoami`, and approve the exact slug, version, and folder before publishing.
One unsafe or incompatible update could affect multiple future agent workflows.
A bulk update affects all matching installed skills, so a bad registry update or mistaken invocation could propagate across the agent's skill set.
clawdhub update --all
Avoid unattended bulk updates; update one skill at a time when possible, pin versions for important skills, and keep backups or a rollback path.