Check ClawHub trust before plugin installs (#81307)

Merged via squash. Prepared head SHA: 273fd7c20e Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Reviewed-by: @jesse-merhi
2026-05-21 00:44:46 +00:00 · 2026-05-13 16:31:52 +10:00
parent cf68115e6e
commit 87eb450047
23 changed files with 832 additions and 43 deletions
--- a/src/cli/plugins-cli.ts
+++ b/src/cli/plugins-cli.ts
@@ -18,10 +18,19 @@ import { applyParentDefaultHelpAction } from "./program/parent-default-help.js";

 export type PluginUpdateOptions = {
  all?: boolean;
+  acknowledgeClawhubRisk?: boolean;
  dryRun?: boolean;
  dangerouslyForceUnsafeInstall?: boolean;
 };

+type CommanderClawHubRiskOptions = Record<string, unknown> & {
+  acknowledgeClawhubRisk?: boolean;
+};
+
+function normalizeCommanderClawHubRiskOption(opts: CommanderClawHubRiskOptions): boolean {
+  return opts.acknowledgeClawhubRisk === true || opts.acknowledgeClawHubRisk === true;
+}
+
 export type PluginMarketplaceListOptions = {
  json?: boolean;
 };
@@ -253,6 +262,11 @@ export function registerPluginsCli(program: Command) {
      "Bypass built-in dangerous-code install blocking (plugin hooks may still block)",
      false,
    )
+    .option(
+      "--acknowledge-clawhub-risk",
+      "Acknowledge ClawHub release trust warnings without prompting",
+      false,
+    )
    .option(
      "--marketplace <source>",
      "Install a Claude marketplace plugin from a local repo/path or git/GitHub source",
@@ -260,7 +274,7 @@ export function registerPluginsCli(program: Command) {
    .action(
      async (
        raw: string,
-        opts: {
+        opts: CommanderClawHubRiskOptions & {
          dangerouslyForceUnsafeInstall?: boolean;
          force?: boolean;
          link?: boolean;
@@ -272,7 +286,13 @@ export function registerPluginsCli(program: Command) {
          "install command",
          async () => {
            const { runPluginInstallCommand } = await import("./plugins-install-command.js");
-            await runPluginInstallCommand({ raw, opts });
+            await runPluginInstallCommand({
+              raw,
+              opts: {
+                ...opts,
+                acknowledgeClawHubRisk: normalizeCommanderClawHubRiskOption(opts),
+              },
+            });
          },
          { command: "install" },
        );
@@ -290,9 +310,20 @@ export function registerPluginsCli(program: Command) {
      "Bypass built-in dangerous-code update blocking for plugins (plugin hooks may still block)",
      false,
    )
+    .option(
+      "--acknowledge-clawhub-risk",
+      "Acknowledge ClawHub release trust warnings without prompting",
+      false,
+    )
    .action(async (id: string | undefined, opts: PluginUpdateOptions) => {
      const { runPluginUpdateCommand } = await import("./plugins-update-command.js");
-      await runPluginUpdateCommand({ id, opts });
+      await runPluginUpdateCommand({
+        id,
+        opts: {
+          ...opts,
+          acknowledgeClawHubRisk: normalizeCommanderClawHubRiskOption(opts),
+        },
+      });
    });

  plugins