Check ClawHub trust before plugin installs (#81307)

Merged via squash. Prepared head SHA: 273fd7c20e Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Co-authored-by: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com> Reviewed-by: @jesse-merhi
2026-05-24 23:23:03 +00:00 · 2026-05-13 16:31:52 +10:00
parent cf68115e6e
commit 87eb450047
23 changed files with 832 additions and 43 deletions
--- a/src/cli/plugins-install-command.ts
+++ b/src/cli/plugins-install-command.ts
@@ -33,6 +33,7 @@ import { validateJsonSchemaValue } from "../plugins/schema-validator.js";
 import { defaultRuntime, type RuntimeEnv } from "../runtime.js";
 import { theme } from "../terminal/theme.js";
 import { shortenHomePath } from "../utils.js";
+import { resolveClawHubRiskAcknowledgementCliOptions } from "./clawhub-risk-acknowledgement.js";
 import { formatCliCommand } from "./command-format.js";
 import { looksLikeLocalInstallSpec } from "./install-spec.js";
 import { resolvePinnedNpmInstallRecordForCli } from "./npm-resolution.js";
@@ -558,6 +559,7 @@ export async function loadConfigForInstall(
 export async function runPluginInstallCommand(params: {
  raw: string;
  opts: InstallSafetyOverrides & {
+    acknowledgeClawHubRisk?: boolean;
    force?: boolean;
    link?: boolean;
    pin?: boolean;
@@ -941,6 +943,10 @@ export async function runPluginInstallCommand(params: {
  if (clawhubSpec) {
    const result = await installPluginFromClawHub({
      ...safetyOverrides,
+      ...resolveClawHubRiskAcknowledgementCliOptions({
+        acknowledgeClawHubRisk: opts.acknowledgeClawHubRisk,
+        action: "installing",
+      }),
      mode: installMode,
      spec: raw,
      extensionsDir,