My suggestion is that maybe is possible for you to set up a clean OS where you can install the Clamclient and let it fully sync with the clam blockchain, maybe a full sync won't be needed because I think since the undug clams were assigned prior the Clam blockchain started running, those clams must be at the beginning of the Clam blockchain (but at least you will need a few blocks in your clam blockchain), then you can unplug/block/disconnect it from the Internet from your freshly installed OS, import your btc/ltc/doge wallet, check how many Clams you got and them create a transaction and sign it with you Private Keys, you will need to create a receiving address and properly make a backup of it, so you don't send your Clams into oblivion.
All this done without Internet connection should protect you from the possibility of your Private Keys being sent by the software to the Internet, then with the transaction saved in a file you can find a way to decode the transaction, there you can see if there is something wrong with the code or signature, then you can push the transaction to the clam blockchain and your transaction should be mined and validated, usually you'll have few option with clam to push your transaction, you can make another Clean OS and this time I think you should have to fully sync it, so you can push your transaction or you can ask a friend with a sync clam client to push it for you (coz as far I know there no risk for your Clams to be stole by being push by other person).
After all that, you need to properly delete your clean OS (the one were you put you btc/ltc/doge wallet) so you don't let any possibility of your Private Keys being compromised, Probably occupy the Entire disk with new data and proper format should do it.
Thanks for the thought you put into it, but it would still mean that I give eg clamd access to my keys (in a truly paranoid way I could argue that they might be added into the transaction as eg comments). Ideally, Clam would allow me to export an unsigned transaction which I can sign for example with Electrum or signrawtransaction, save and re-import in Clam to broadcast. I'm looking for a method where I don't need to give Clam any access to any private key.
I think there is a simpler solution.
1) Move all BTC off the addresses that had BTC on the distribution day to new addresses on your Trezor hardware wallet.
2) Import the private keys of all these addresses into the clam client
3) Get the clams [!]
4) Discard the Bitcoin private keys used to get clams and never use them again.
That way you do not have to be as careful as is described above.
I'm aware that you can first empty the BTC address to a new one, but that's not an option in some cases (like, giving up my sig address).
Not to mention that it would also imply to change all addresses in use for payouts with other services. To get some clams, I'd have to update each and every account where I have a btc address configured. That's not a solution.