docs: add clawhub rescan recovery guidance (#73414)

* docs: add clawhub rescan recovery guidance

* docs: clarify clawhub rescan wording

docs/cli/plugins.md

@@ -100,6 +100,8 @@ Bare package names are checked against ClawHub first, then npm. Treat plugin ins
 
     This CLI flag applies to plugin install/update flows. Gateway-backed skill dependency installs use the matching `dangerouslyForceUnsafeInstall` request override, while `openclaw skills install` remains a separate ClawHub skill download/install flow.
 
+    If a plugin you published on ClawHub is blocked by a registry scan, use the publisher steps in [ClawHub](/tools/clawhub).
+
   </Accordion>
   <Accordion title="Hook packs and npm specs">
     `plugins install` is also the install surface for hook packs that expose `openclaw.hooks` in `package.json`. Use `openclaw hooks` for filtered hook visibility and per-hook enablement, not package installation.

docs/tools/clawhub.md

@@ -128,15 +128,19 @@ shared, and gated, see [Skills](/tools/skills).
 
 ## Service features
 
-| Feature            | Notes                                                      |
-| ------------------ | ---------------------------------------------------------- |
-| Public browsing    | Skills and their `SKILL.md` content are publicly viewable. |
-| Search             | Embedding-powered (vector search), not just keywords.      |
-| Versioning         | Semver, changelogs, and tags (including `latest`).         |
-| Downloads          | Zip per version.                                           |
-| Stars and comments | Community feedback.                                        |
-| Moderation         | Approvals and audits.                                      |
-| CLI-friendly API   | Suitable for automation and scripting.                     |
+| Feature                  | Notes                                                               |
+| ------------------------ | ------------------------------------------------------------------- |
+| Public browsing          | Skills and their `SKILL.md` content are publicly viewable.          |
+| Search                   | Embedding-powered (vector search), not just keywords.               |
+| Versioning               | Semver, changelogs, and tags (including `latest`).                  |
+| Downloads                | Zip per version.                                                    |
+| Stars and comments       | Community feedback.                                                 |
+| Security scan summaries  | Detail pages show the latest scan state before install or download. |
+| Scanner detail pages     | VirusTotal, ClawScan, and static-analysis results have deep links.  |
+| Owner recovery dashboard | Publishers can see scan-held owned content from `/dashboard`.       |
+| Owner-requested rescans  | Owners can request limited rescans for false-positive recovery.     |
+| Moderation               | Approvals and audits.                                               |
+| CLI-friendly API         | Suitable for automation and scripting.                              |
 
 ## Security and moderation
 
@@ -145,6 +149,16 @@ account must be **at least one week old** to publish. This slows down
 abuse without blocking legitimate contributors.
 
 <AccordionGroup>
+  <Accordion title="Security scans">
+    ClawHub runs automated security checks on published skills and plugin
+    releases. Public detail pages summarize the current result, and scanner
+    rows link to dedicated detail pages for VirusTotal, ClawScan, and static
+    analysis.
+
+    Scan-held or blocked releases may be unavailable on public catalog and
+    install surfaces while still visible to their owner in `/dashboard`.
+
+  </Accordion>
   <Accordion title="Reporting">
     - Any signed-in user can report a skill.
     - Report reasons are required and recorded.
@@ -276,6 +290,23 @@ publish/sync.
     - `--json` — emit machine-readable output for CI.
     - `--source-repo`, `--source-commit`, `--source-ref` — optional overrides when auto-detection is not enough.
 
+  </Accordion>
+  <Accordion title="Request rescans">
+    ```bash
+    clawhub skill rescan <slug>
+    clawhub skill rescan <slug> --yes --json
+
+    clawhub package rescan <name>
+    clawhub package rescan <name> --yes --json
+    ```
+
+    Rescan commands require a logged-in owner token and target the latest
+    published skill version or plugin release. In non-interactive runs, pass
+    `--yes`.
+
+    JSON responses include the target kind, name, version, rescan status, and
+    remaining/max request counts for that version or release.
+
   </Accordion>
   <Accordion title="Delete / undelete (owner or admin)">
     ```bash

docs/tools/plugin.md

@@ -434,6 +434,12 @@ dependency installs use the matching `dangerouslyForceUnsafeInstall` request
 override instead, while `openclaw skills install` remains the separate ClawHub
 skill download/install flow.
 
+If a plugin you published on ClawHub is hidden or blocked by a scan, open the
+ClawHub dashboard or run `clawhub package rescan <name>` to ask ClawHub to check
+it again. `--dangerously-force-unsafe-install` only affects installs on your own
+machine; it does not ask ClawHub to rescan the plugin or make a blocked release
+public.
+
 Compatible bundles participate in the same plugin list/inspect/enable/disable
 flow. Current runtime support includes bundle skills, Claude command-skills,
 Claude `settings.json` defaults, Claude `.lsp.json` and manifest-declared

docs/tools/skills.md

@@ -131,6 +131,12 @@ Native `openclaw skills install` installs into the active workspace
 configured OpenClaw workspace). OpenClaw picks that up as
 `<workspace>/skills` on the next session.
 
+ClawHub skill pages expose the latest security scan state before install,
+with scanner detail pages for VirusTotal, ClawScan, and static analysis.
+`openclaw skills install <slug>` remains only the install path; publishers
+recover false positives through the ClawHub dashboard or
+`clawhub skill rescan <slug>`.
+
 ## Security
 
 <Warning>