ThumbGate
PassAudited by ClawScan on May 10, 2026.
Overview
ThumbGate appears to be a disclosed safety tool, but it installs an external npm CLI that adds persistent agent hooks and stores feedback-based rules.
ThumbGate looks purpose-aligned rather than malicious. Before installing, review the npm package source, run initialization only in projects or agents where you want persistent PreToolUse gates, check what files and hooks it changes, and avoid storing sensitive information in feedback or lessons.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running the CLI means trusting code outside the reviewed SKILL.md artifact.
The documented quick start executes an external npm CLI package; the provided artifact set does not include the package implementation.
```bash npx thumbgate init ```
Review the npm package and repository before running npx, and install from a trusted source or pinned version where possible.
Future agent tool calls may be intercepted or blocked according to saved ThumbGate rules.
The skill intentionally adds persistent hook-based behavior to the user's agent environment.
Bootstraps `.thumbgate/` and wires `PreToolUse` hooks into your agent.
Initialize it only in environments where you want persistent tool-call gating, and confirm how to inspect, edit, disable, or remove installed hooks.
Saved lessons may affect future tasks and could include sensitive details from prior agent actions.
ThumbGate stores feedback-derived lessons that are later reused to enforce prevention rules.
Capture — every thumbs-down on a bad agent action becomes a structured lesson.
Avoid capturing secrets or private data in feedback, periodically review saved lessons and gates, and understand whether any plan syncs lessons to a hosted or shared database.