Skip to main content
CodeGate provides two scan-first installer wrappers. Both wrappers intercept install subcommands, run a preflight scan on the target, and only proceed if policy allows.
  • codegate skills [skillsArgs...] — wraps npx skills
  • codegate clawhub [clawhubArgs...] — wraps npx clawhub

How preflight scanning works

codegate skills

When you run codegate skills add <source>, CodeGate:
  1. Resolves the requested source target (GitHub URL, local path, or shorthand owner/repo).
  2. Runs the full static scan pipeline against the resolved target.
  3. If dangerous findings are detected (exit code 2), aborts the install — fail-closed.
  4. If warning-level findings are detected and auto_proceed_below_threshold is not true, prompts for confirmation (or aborts in non-interactive mode).
  5. If policy allows, passes the original arguments through to npx skills to complete the install.

codegate clawhub

When you run codegate clawhub install <slug>, CodeGate:
  1. Resolves the skill slug to a canonical clawhub.ai URL and runs clawhub inspect to stage the remote skill content in a temporary directory.
  2. Runs the full static scan pipeline against the staged content.
  3. If dangerous findings are detected (exit code 2), aborts the install — fail-closed.
  4. If warning-level findings are detected and auto_proceed_below_threshold is not true, prompts for confirmation (or aborts in non-interactive mode).
  5. If policy allows, passes the original arguments through to npx clawhub to complete the install. The temporary staged content is cleaned up after the install.

Fail-closed behavior

Both wrappers are fail-closed. If the preflight scan itself fails (for example, the source is unreachable or a parse error occurs), the install is aborted with exit code 3. Use --cg-force to override this and proceed anyway.In non-interactive mode, warning-level findings also abort the install. Use --cg-force to skip the confirmation and proceed.

Pass-through behavior

Non-install subcommands are passed directly to the underlying tool without any preflight scanning: 
# Passed through without scanning
codegate skills find security
codegate clawhub search security

Wrapper flags

All --cg-* flags are consumed by CodeGate and are not forwarded to the underlying installer command.
--cg-force
boolean
default:"false"
Continue with the install when the preflight scan fails or returns blocking findings. Also skips the warning-level confirmation prompt.
--cg-deep
boolean
default:"false"
Enable Layer 3 deep analysis during the preflight scan.
--cg-no-tui
boolean
default:"false"
Disable TUI and interactive prompts during the preflight scan.
--cg-verbose
boolean
default:"false"
Enable extended terminal output during the preflight scan.
--cg-include-user-scope
boolean
default:"false"
Include user/home config surfaces in the preflight scan.
--cg-collect
string
Preflight collection scope mode. Valid values: default, project, user, explicit, all. Repeatable.
--cg-collect-kind
string
Restrict preflight collection to specific artifact kinds. Valid values: workflows, actions, dependabot. Repeatable.
--cg-strict-collection
boolean
default:"false"
Treat parse failures in preflight-collected inputs as high-severity findings.
--cg-persona
string
default:"regular"
Preflight audit persona. Valid values: regular, pedantic, auditor.
--cg-runtime-mode
string
default:"offline"
Preflight runtime mode. Valid values: offline, online, online-no-audits.
--cg-workflow-audits
boolean
default:"false"
Enable the CI/CD workflow audit pack for preflight scans.
--cg-format
string
default:"terminal"
Preflight scan output format. Valid values: terminal, json, sarif, markdown, html.
--cg-config
string
Path to a specific CodeGate config file to use for the preflight scan.
--
string
Stop wrapper-option parsing. All arguments after -- are forwarded to the underlying installer command unchanged.

Config policy controls

Wrapper preflight scans honor the same config policy controls as codegate scan, including suppress_findings, suppression_rules, rule_pack_paths, allowed_rules, and skip_rules.

codegate skills examples

# Basic install with preflight scan
codegate skills add https://github.com/vercel-labs/skills --skill find-skills

# Force install even if preflight scan returns blocking findings
codegate skills add https://github.com/owner/repo --skill security-review --cg-force

# Enable Layer 3 deep analysis during preflight
codegate skills add https://github.com/owner/repo --skill security-review --cg-deep

# Workflow audit pack with project scope during preflight
codegate skills add https://github.com/owner/repo --skill security-review --cg-workflow-audits --cg-collect project

# Restrict preflight collection to workflow files only
codegate skills add https://github.com/owner/repo --skill security-review --cg-collect-kind workflows

# Auditor persona with strict collection during preflight
codegate skills add https://github.com/owner/repo --skill security-review --cg-strict-collection --cg-persona auditor

# Online runtime mode during preflight
codegate skills add https://github.com/owner/repo --skill security-review --cg-runtime-mode online

# Output preflight results as JSON
codegate skills add https://github.com/owner/repo --skill security-review --cg-format json

# Use a custom CodeGate config file for preflight
codegate skills add https://github.com/owner/repo --skill security-review --cg-config ~/.codegate/config.json

# Pass a custom flag directly to the skills installer (not scanned)
codegate skills add https://github.com/owner/repo --skill security-review -- --registry custom

codegate clawhub examples

# Basic install with preflight scan
codegate clawhub install security-auditor

# Install a specific version
codegate clawhub install security-auditor --version 1.0.0

# Enable Layer 3 deep analysis during preflight
codegate clawhub install security-auditor --cg-deep

# Workflow audit pack with project scope during preflight
codegate clawhub install security-auditor --cg-workflow-audits --cg-collect project

# Restrict preflight collection to workflow files only
codegate clawhub install security-auditor --cg-collect-kind workflows

# Auditor persona with strict collection during preflight
codegate clawhub install security-auditor --cg-strict-collection --cg-persona auditor

# Online runtime mode during preflight
codegate clawhub install security-auditor --cg-runtime-mode online

# Non-interactive preflight with JSON output
codegate clawhub install security-auditor --cg-no-tui --cg-format json

# Use a custom CodeGate config file for preflight
codegate clawhub install security-auditor --cg-config ~/.codegate/config.json

# Pass a custom registry flag directly to clawhub (not scanned)
codegate clawhub install security-auditor -- --registry https://registry.clawhub.ai

# Non-install subcommand — passed through without scanning
codegate clawhub search security

Getting help

codegate skills --help
codegate clawhub --help