This is a very good point that not too many people even address to themselves. I believe the gitian (a deterministic build platform) compile method is used to create these binaries, so xploited(dev/host) may be able to provide the hashes. If you can get it to compile with gitian, you can match the hashes for yourself.

There hasn't really been any demand for it that I've seen in the 8 months that I've known the CLAMS family(so to speak  ) for, so it simply hasn't been done. I've seen zero reports of malware infected CLAMS clients (fingers crossed), not to say it can't happen. Typically those who are worried want to compile it themselves, just for the matter of principal. It's the clear and only option I would recommend if you are in anyway worried that the binaries aren't clean, or are simply claiming clams. If you are using Linux, you'll probably need to compile it anyhow for the dependencies.