CRAFT Security

CRAFT FRAMEWORK

CRAFTFramework.ai   Last Updated: June 14, 2026

SECURITY & VERIFYING YOUR DOWNLOAD

Security โ€” At a glance

CRAFT for Claude Cowork is distributed as a signed release. The most important thing is that you can verify a download really came from us and wasn’t tampered with โ€” and that if anything about that ever looks wrong, you tell us privately and fast so we can protect everyone.

We only distribute builds through our official GitHub Releases and the Downloads page โ€” never by direct message, email attachment, or any third-party mirror.

Report a security problem privately

Email security@craftframework.ai. Please do not post any of the following in a public place (a GitHub Discussion, social media, a forum), because public disclosure could put other users at risk:

  • A release whose signature or checksum does not verify.
  • Anything suggesting the signing key is compromised, or that a release was published that we didn’t author.
  • A vulnerability in a distributed CRAFT build.
  • Any way to make a malicious file appear to be a legitimate CRAFT release.

Please include the exact release tag (e.g. craft-for-claude-cowork-v.b0001.p202606.01b), what you observed (the signature/checksum output and the hashes you got), and how to reproduce it. We aim to acknowledge reports quickly, won’t take public action that exposes the issue before users can protect themselves, and โ€” if a key or release is affected โ€” will publish a signed advisory, rotate keys if needed, and note it in the changelog.

How to spot a fake

  • The only official places to download CRAFT for Claude Cowork are our GitHub Releases page and the Downloads page here.
  • Every release is signed and lists its checksums.
  • We will never ask you to run a script, paste a command, or install a build from anywhere other than those official places. Anyone who does is not us โ€” please report it.

Verify your download (recommended)

Each release ships a SHA256SUMS file and a detached SHA256SUMS.asc signature. Verifying takes two commands โ€” the full step-by-step is in VERIFY.md:

  1. sha256sum -c SHA256SUMS โ€” confirms the files match the published checksums.
  2. gpg --verify SHA256SUMS.asc SHA256SUMS โ€” confirms the checksums were signed by CRAFT.

If either check reports FAILED or BAD signature, stop โ€” do not run the file. Re-download from the official Releases page and verify again; if it still fails, report it privately as above.

A note on this beta

CRAFT for Claude Cowork is currently a free public beta โ€” no membership or payment is required to download or run it. See the Terms (Section 4.4, Free Public Beta Releases) for the details.

Contact