Use GitHub Security Advisories for vulnerabilities in ClawHub itself.

Good ClawHub advisory reports include bugs in:

• the ClawHub website, API, or CLI
• registry publishing, downloads, installs, or artifact integrity
• authentication, authorization, or API tokens
• scanning, moderation, or report handling

Because ClawHub is a hosted cloud application, ClawHub service vulnerabilities are not publicly disclosed by default. They are publicly disclosed when there is evidence of real user impact or when users need to take action.

Examples of real user impact include confirmed exploitation, exposure of user data or secrets, malicious content reaching users because of a platform failure, or any issue that requires users to rotate credentials, update local software, or take other protective action.

Vulnerabilities in user-installed software are publicly disclosed, such as ClawHub CLI packages, binaries, libraries, or other release artifacts that users need to update locally.

Do not use ClawHub advisories for vulnerabilities in a third-party skill or plugin's own source code. Report those directly to the publisher or source repository linked from the ClawHub listing.

Use ClawHub's listing reports for genuinely malicious or deceptive marketplace content, such as malicious listings, misleading metadata, undeclared permissions, suspicious install instructions, scam comments, impersonation, trademark misuse, or policy violations.