English
View as MarkdownView this page as plain textOpen in ChatGPTAsk questions about this pageOpen in ClaudeAsk questions about this pageOpen in PerplexityAsk questions about this page

Safety and Operations

Moderation and Account Safety

Moderation and Account Safety

ClawHub is open to publishing, but public discovery and install surfaces still need guardrails. Reports, moderation holds, hidden listings, and account actions help protect users when a release or account appears unsafe, misleading, or out of policy.

This page covers moderation and account standing. For audit labels such as Pass, Review, Warn, Malicious, and risk level, see Security Audits.

See also Security and Acceptable usage.

Reports

Signed-in users can report skills, plugins, packages, and comments.

Use ClawHub reports only for unsafe marketplace content, such as:

  • malicious listings
  • misleading metadata
  • undeclared credentials or permission requirements
  • suspicious install instructions
  • scam comments or impersonation
  • bad-faith registrations or trademark misuse
  • content that violates Acceptable usage

Use the Report skill button on a skill page, or the package reporting command/API for packages.

Do not use ClawHub reports for vulnerabilities in a third-party skill or plugin's own source code. Report those directly to the publisher or source repository linked from the listing. ClawHub does not maintain or patch third-party skill or plugin code.

GitHub Security Advisories for openclaw/clawhub are for vulnerabilities in ClawHub itself. Examples include bugs in the website, API, CLI, registry, auth, scanning, moderation, or download/install trust boundaries. Do not use ClawHub advisories for vulnerabilities in third-party skills or plugins.

Good reports are specific and actionable. Abuse of reporting can itself lead to account action.

Moderation holds

Some severe findings or policy issues can place a publisher or listing under a moderation hold. When this happens, affected content may be hidden from public discovery or future publishes may start hidden until the issue is reviewed.

Moderation holds are meant to protect users while ClawHub resolves high-risk cases. They can also be lifted when a false positive is confirmed.

Hidden or blocked listings

A listing may be held, hidden, quarantined, revoked, or otherwise unavailable on public install surfaces.

If you see one of these states, do not install the release unless the owner resolves the issue or moderation restores it.

Owners may still see diagnostics for their own held or hidden listings. These diagnostics help explain what happened and what needs to change before the listing can return to public surfaces.

Bans and account standing

Accounts that violate ClawHub policy may lose publishing access. Severe abuse can result in account bans, token revocation, hidden content, or removed listings.

Deleted, banned, or disabled accounts cannot use ClawHub API tokens. If CLI auth starts failing after account action, sign in to the web UI to review account state. If sign-in or normal CLI access is blocked by a ban or disabled account, use the ClawHub appeal form for recovery review.

If a scanner-triggered email names a skill or plugin version as malicious, download the stored scan results for the blocked submitted version: clawhub scan download <slug> --version <version>. For plugins, add --kind plugin. Review the scan output, fix the listing, increment the version number, and upload the fixed version.

Publisher guidance

To reduce false positives and improve user trust:

  • keep names, summaries, tags, and changelogs accurate
  • declare required environment variables and permissions
  • avoid obfuscated install commands
  • link to source when possible
  • use dry runs before publishing plugins
  • respond clearly if users or moderators ask about release behavior
Was this useful?
On this page

On this page