Clawdhub.Bak 2026 01 28T18:01:16+10:30
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent ClawdHub CLI wrapper, but it can install, force-update, and publish agent skills without clear artifact-level guardrails for user review.
Install only if you want an agent-accessible ClawdHub skill manager. Before use, require confirmation for any install, update, update-all, force/no-input, registry override, or publish command, and review versions and sources carefully.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used without explicit approval, the agent could change many installed skills at once and alter future agent behavior.
This documents a forced, non-interactive bulk update path for installed skills. Because installed skills can change agent behavior, this is high-impact and the artifact does not add approval, rollback, or scoping guidance.
clawdhub update --all --no-input --force
Require explicit user confirmation before install, update, update-all, force, no-input, or publish operations; prefer pinned versions and avoid bulk forced updates unless the user specifically requests them.
Installing or updating from a registry can introduce new or changed instructions into the agent's skill set.
The skill intentionally installs and updates skills from a registry, and allows the registry to be overridden. This is purpose-aligned, but it is supply-chain sensitive because remote skills affect the agent environment.
Default registry: https://clawdhub.com (override with CLAWDHUB_REGISTRY or --registry)
Use trusted registries, review skill sources before installing, pin versions when possible, and be cautious with registry overrides.
The agent may act through the user's ClawdHub account when publishing skills.
Publishing requires authenticating to ClawdHub. That is expected for this skill's publish workflow, but it gives the CLI account-level authority to publish under the logged-in identity.
Auth (publish) clawdhub login clawdhub whoami
Log in only to the intended account, verify `whoami`, and approve the exact folder, slug, version, and changelog before publishing.