clawhub

[Skill Scanner] [Documentation context] Installation of third-party script detected This SKILL.md is a legitimate-looking integration guide for the ClawHub CLI. It does not contain executable malware itself, but it instructs installing and running an external unpinned CLI (clawhub) and sending credentials/data to a registry that can be overridden. Those characteristics create supply-chain and credential-forwarding risks: a compromised CLI or malicious registry could exfiltrate credentials or arbitrary files and install malicious skills. Recommend treating the `clawhub` binary as untrusted until verified: prefer pinned versions, verify package provenance (signatures/checksums), and avoid pointing the registry to unknown hosts. LLM verification: [LLM Escalated] The document is a usage guide that instructs users to install and execute a third-party CLI (clawhub) and to interact with a remote registry. There is no code in the provided artifact to flag as malicious. However, the documented workflow is a high-risk supply-chain pattern: installing and running remote packages, exchanging credentials, and reading/writing local files. Recommend not installing or running the CLI until its source code and registry behavior are reviewed; use least-privilege execu