AboutPolicy

What ClawHub will not host

ClawHub is for useful, reviewable agent tooling. Skills that improve developer workflows, migrations, security review, or product implementation belong here. Abuse workflows do not.

Rejection Categories

Bypass and unauthorized access

Auth bypass, account takeover, CAPTCHA bypass, Cloudflare or anti-bot evasion, rate-limit bypass, reusable session theft, live call or agent takeover.

Platform abuse and ban evasion

Stealth accounts after bans, account warming/farming, fake engagement, multi-account automation, spam posting, marketplace or social automation built to avoid detection.

Fraud and deception

Fake certificates, fake invoices, deceptive payment flows, fake social proof, scam outreach, or synthetic-identity workflows built to create accounts for fraud.

Privacy-invasive surveillance

Mass contact scraping for spam, doxxing, stalking, covert monitoring, biometric / face-matching workflows without clear consent, or buying, publishing, downloading, or operationalizing leaked data or breach dumps.

Non-consensual impersonation

Face swap, digital twins, cloned influencers, fake personas, or other identity manipulation used to impersonate or mislead.

Explicit sexual content

NSFW image, video, or text generation, especially wrappers around third-party APIs with safety checks disabled.

Hidden or misleading execution

Obfuscated install commands, curl | sh, undeclared secret requirements, undeclared private-key use, or remote npx @latest execution without reviewability.

OkayNot okay

Recent patterns we are explicitly okay with

The line is intent and execution. Reviewable tooling for real work stays; tooling optimized for evasion, deception, or non-consensual use gets rejected.

Allowed

Useful, consent-based tooling

Frontend and design-system work that uses real components, semantic tokens, accessible states, and tested user flows.

shadcn/ui composition that uses installed source components, project aliases, and documented variants instead of one-off markup.

UI5 JavaScript-to-TypeScript conversion that preserves comments, uses concrete UI5 types, and keeps generated control interfaces reviewable.

Defensive security review, moderation tooling, and abuse-detection prompts that show evidence and keep human approval boundaries clear.

Consent-based workflow automation for personal or team accounts with explicit credentials, transparent setup, and dry-run or preview modes.

Docs, migration runbooks, local developer utilities, and test fixtures scoped to the repository they support.

Rejected

Abuse workflows in disguise

Create stealth seller accounts after marketplace bans.

Modify Telegram pairing so unapproved users automatically receive pairing codes.

Cultivate Reddit or Twitter accounts with undetectable automation.

Generate professional certificates or invoices for arbitrary use.

Generate NSFW content with safety checks disabled.

Scrape leads, enrich contacts, and launch cold outreach at scale.

Buy, publish, or download leaked data or breach dumps.

Bulk-create email or social accounts with synthetic identities or CAPTCHA solving.

Enforcement

We may hide, remove, or hard-delete violating skills.

We may revoke tokens, soft-delete associated content, and ban repeat or severe offenders.

We do not guarantee warning-first enforcement for obvious abuse.

Next steps

If you are reviewing a borderline workflow, use the reviewer doc. If you are browsing, stay in the public catalog.

Browse Skills Reviewer Doc