diff --git a/docs/cli/plugins.md b/docs/cli/plugins.md index 90803bebe33..af563b951e1 100644 --- a/docs/cli/plugins.md +++ b/docs/cli/plugins.md @@ -100,6 +100,8 @@ Bare package names are checked against ClawHub first, then npm. Treat plugin ins This CLI flag applies to plugin install/update flows. Gateway-backed skill dependency installs use the matching `dangerouslyForceUnsafeInstall` request override, while `openclaw skills install` remains a separate ClawHub skill download/install flow. + If a plugin you published on ClawHub is blocked by a registry scan, use the publisher steps in [ClawHub](/tools/clawhub). + `plugins install` is also the install surface for hook packs that expose `openclaw.hooks` in `package.json`. Use `openclaw hooks` for filtered hook visibility and per-hook enablement, not package installation. diff --git a/docs/tools/clawhub.md b/docs/tools/clawhub.md index 924058e2981..543ea2a3383 100644 --- a/docs/tools/clawhub.md +++ b/docs/tools/clawhub.md @@ -128,15 +128,19 @@ shared, and gated, see [Skills](/tools/skills). ## Service features -| Feature | Notes | -| ------------------ | ---------------------------------------------------------- | -| Public browsing | Skills and their `SKILL.md` content are publicly viewable. | -| Search | Embedding-powered (vector search), not just keywords. | -| Versioning | Semver, changelogs, and tags (including `latest`). | -| Downloads | Zip per version. | -| Stars and comments | Community feedback. | -| Moderation | Approvals and audits. | -| CLI-friendly API | Suitable for automation and scripting. | +| Feature | Notes | +| ------------------------ | ------------------------------------------------------------------- | +| Public browsing | Skills and their `SKILL.md` content are publicly viewable. | +| Search | Embedding-powered (vector search), not just keywords. | +| Versioning | Semver, changelogs, and tags (including `latest`). | +| Downloads | Zip per version. | +| Stars and comments | Community feedback. | +| Security scan summaries | Detail pages show the latest scan state before install or download. | +| Scanner detail pages | VirusTotal, ClawScan, and static-analysis results have deep links. | +| Owner recovery dashboard | Publishers can see scan-held owned content from `/dashboard`. | +| Owner-requested rescans | Owners can request limited rescans for false-positive recovery. | +| Moderation | Approvals and audits. | +| CLI-friendly API | Suitable for automation and scripting. | ## Security and moderation @@ -145,6 +149,16 @@ account must be **at least one week old** to publish. This slows down abuse without blocking legitimate contributors. + + ClawHub runs automated security checks on published skills and plugin + releases. Public detail pages summarize the current result, and scanner + rows link to dedicated detail pages for VirusTotal, ClawScan, and static + analysis. + + Scan-held or blocked releases may be unavailable on public catalog and + install surfaces while still visible to their owner in `/dashboard`. + + - Any signed-in user can report a skill. - Report reasons are required and recorded. @@ -276,6 +290,23 @@ publish/sync. - `--json` — emit machine-readable output for CI. - `--source-repo`, `--source-commit`, `--source-ref` — optional overrides when auto-detection is not enough. + + + ```bash + clawhub skill rescan + clawhub skill rescan --yes --json + + clawhub package rescan + clawhub package rescan --yes --json + ``` + + Rescan commands require a logged-in owner token and target the latest + published skill version or plugin release. In non-interactive runs, pass + `--yes`. + + JSON responses include the target kind, name, version, rescan status, and + remaining/max request counts for that version or release. + ```bash diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md index 8ad39e6596d..c3b8860e47d 100644 --- a/docs/tools/plugin.md +++ b/docs/tools/plugin.md @@ -434,6 +434,12 @@ dependency installs use the matching `dangerouslyForceUnsafeInstall` request override instead, while `openclaw skills install` remains the separate ClawHub skill download/install flow. +If a plugin you published on ClawHub is hidden or blocked by a scan, open the +ClawHub dashboard or run `clawhub package rescan ` to ask ClawHub to check +it again. `--dangerously-force-unsafe-install` only affects installs on your own +machine; it does not ask ClawHub to rescan the plugin or make a blocked release +public. + Compatible bundles participate in the same plugin list/inspect/enable/disable flow. Current runtime support includes bundle skills, Claude command-skills, Claude `settings.json` defaults, Claude `.lsp.json` and manifest-declared diff --git a/docs/tools/skills.md b/docs/tools/skills.md index 244bb29d327..3e0bb32f6b4 100644 --- a/docs/tools/skills.md +++ b/docs/tools/skills.md @@ -131,6 +131,12 @@ Native `openclaw skills install` installs into the active workspace configured OpenClaw workspace). OpenClaw picks that up as `/skills` on the next session. +ClawHub skill pages expose the latest security scan state before install, +with scanner detail pages for VirusTotal, ClawScan, and static analysis. +`openclaw skills install ` remains only the install path; publishers +recover false positives through the ClawHub dashboard or +`clawhub skill rescan `. + ## Security