Use GitHub Security Advisories for vulnerabilities in ClawHub itself.

Good ClawHub advisory reports include bugs in:

• the ClawHub website, API, or CLI
• registry publishing, downloads, installs, or artifact integrity
• authentication, authorization, or API tokens
• scanning, moderation, or report handling

Do not use ClawHub advisories for vulnerabilities in a third-party skill or plugin's own source code. Report those directly to the publisher or source repository linked from the ClawHub listing.

Use ClawHub's listing reports for genuinely malicious or deceptive marketplace content, such as malicious listings, misleading metadata, undeclared permissions, suspicious install instructions, scam comments, impersonation, trademark misuse, or policy violations.