How does ClawSafe work?
ClawSafe runs a multi-agent security analysis pipeline: a Collection Agent extracts skill files, a Static Rule Agent runs 80+ pattern-matching rules, a Semantic Analysis Agent reasons through full context to identify attack chains, a Classification Agent maps findings to 10 threat categories, a Scoring Agent computes the risk score, and a Report Agent aggregates everything into a structured output — all in under 60 seconds.
Are my uploaded files saved?
No. Raw files are processed in memory and immediately discarded — never written to disk, never persisted. Reports only store skill metadata (name, source, analysis results), not your original code.
Do I need to create an account?
No. Scanning is completely free and requires no registration. Just paste a GitHub URL or upload a file to get a report.
What input formats does ClawSafe support?
GitHub repository URLs, ClawHub skill page URLs, direct .zip archive links, or direct file/folder uploads via browser drag-and-drop.
What is ClawHub?
ClawHub is a skill registry for AI coding tools — like npm or PyPI, but for skills used by Claude Code, OpenClaw, and similar AI development tools. ClawSafe actively scans newly published skills on ClawHub.
Are reports public?
Yes. All reports are public by default to enable community verification. Reports are deduplicated by skill name. The report URL format is /report/{id}. If you believe a report is incorrect, email us to dispute it.
Does 'safe' mean absolutely safe?
No. ClawSafe's verdict is a risk signal based on static analysis and LLM reasoning — false positives and false negatives both exist. 'Safe' means no obvious threats were found, not a guarantee. We recommend human code review for critical skills.
Are dangerous skills removed from ClawHub?
ClawSafe does not directly control ClawHub listings. We publicly surface high-risk skills on the leaderboard and report them to the ClawHub platform. For urgent threats, contact us at [email protected].
How do I use the API?
Visit /api-docs for full documentation. Core endpoints: POST /api/scan to submit a scan, GET /api/report/{id} to retrieve a report. The API is currently free with rate limits.
Why might Chinese and English reports differ for the same skill?
ClawSafe uses language-specific system prompts for the Semantic Analysis Agent. Different agent instructions can produce slightly different findings, but risk scores are based on the same static rule engine and differences are usually minimal.
Is ClawSafe open source?
Not currently. We are evaluating open-sourcing the agent analysis engine. The full scanning methodology is documented at /methodology.
How do I report a false positive or false negative?
Email [email protected] with the report link and your reasoning. We manually review and update reports.
Still have questions?
Reach out by email or scan your skill directly to see the results.