Add ClawHub skill verification and trust surfaces

[Patrick-Erichsen]

Summary

• adds openclaw skills verify <slug> backed by ClawHub /verify, with --version, --tag, --card, shared/global workspace, and installed/uninstalled target resolution
• resolves installed ClawHub skills from installer-owned lock/origin metadata and fails closed on malformed trust envelopes/card downloads
• adds skills.securityVerdicts and skills.skillCard gateway methods so Control UI can show a top-level ClawHub verdict plus a lazy local skill-card.md tab
• keeps verdict fetching bulk/narrow: one passive unauthenticated request for linked installs, no card data and no full scanner payload; detailed reports link out to ClawHub

Cross-repo dependency

• depends on ClawHub bulk verdict endpoint in Add bulk skill security verdicts endpoint clawhub#2404: POST /api/v1/skills/-/security-verdicts
• deployed to production on May 26, 2026 and verified against openclaw/discrawl@1.0.0
• OpenClaw intentionally does not fall back to N per-skill requests; old/self-hosted ClawHub endpoints can report verdicts unavailable until the endpoint exists

Tests

• CI=true pnpm test src/infra/clawhub.test.ts src/agents/skills-clawhub.test.ts src/cli/skills-cli.commands.test.ts src/cli/skills-cli.verify.test.ts -- --reporter=dot
• CI=true pnpm check:changed
• CI=true pnpm format:docs:check
• git diff --check
• pnpm test src/agents/skills-status.test.ts src/gateway/server-methods/skills.clawhub.test.ts src/infra/clawhub.test.ts src/gateway/server-methods-list.test.ts ui/src/ui/controllers/skills.test.ts ui/src/ui/views/skills.test.ts
• pnpm tsgo:core
• pnpm tsgo:test:src
• pnpm tsgo:test:ui
• pnpm check:changed
• pnpm ui:build
• pnpm protocol:check
• pnpm ui:i18n:check

Real behavior proof

Behavior addressed: installed ClawHub skills can show a compact Control UI trust verdict, lazy-load the local skill-card.md, and link to the full ClawHub security report without cloning the scanner UI into OpenClaw.

Real environment tested: local OpenClaw workspace with openclaw/discrawl@1.0.0 installed from production https://clawhub.ai; source gateway from this PR branch on loopback port 18879; ClawHub production security-audit page.

Exact steps or command run after this patch:

• Installed discrawl from ClawHub into the local main workspace.
• Started a source gateway from this PR branch with channels disabled on loopback port 18879.
• Called skills.status, skills.securityVerdicts, and skills.skillCard through the gateway.
• Opened the Skills detail view in the Control UI, checked the verdict overview, opened the Skill Card tab, and opened the full ClawHub security report.
• After the latest ClawSweeper findings, ran node scripts/run-vitest.mjs ui/src/ui/views/skills.test.ts src/agents/skills-clawhub.test.ts.

Evidence after fix:

{
  "schema": "openclaw.skills.security-verdicts.v1",
  "items": [
    {
      "registry": "https://clawhub.ai",
      "ok": true,
      "decision": "pass",
      "requestedSlug": "discrawl",
      "requestedVersion": "1.0.0",
      "slug": "discrawl",
      "version": "1.0.0",
      "displayName": "Discrawl",
      "publisherHandle": "openclaw",
      "skillUrl": "https://clawhub.ai/openclaw/discrawl",
      "securityAuditUrl": "https://clawhub.ai/openclaw/discrawl/security-audit?version=1.0.0",
      "securityStatus": "clean",
      "securityPassed": true
    }
  ]
}

skills.status confirmed discrawl is linked to https://clawhub.ai, installedVersion 1.0.0, with local skillCard.present true.
skills.skillCard returned the local card for discrawl from skill-card.md.
Control UI rendered the Clean verdict overview, Full security report link, and Skill Card tab.
The ClawHub production report opened at https://clawhub.ai/openclaw/discrawl/security-audit?version=1.0.0.

RUN  v4.1.7 /Users/patrickerichsen/Git/openclaw/openclaw

Test Files  3 passed (3)
Tests  60 passed (60)
Command: node scripts/run-vitest.mjs ui/src/ui/views/skills.test.ts src/agents/skills-clawhub.test.ts

Observed result after fix: the happy path renders the current ClawHub verdict and local Skill Card; the UI verdict helper now only shows clean when ok === true and decision === "pass"; installed CLI verification now rejects origin/lock registry disagreement before contacting a registry.

What was not tested: the currently installed packaged beta gateway does not expose these new methods until this PR ships; after the latest review fixes I reran the targeted touched tests above, not the full changed-file gate.

Review

• autoreview accepted findings fixed: verified card URL binding, missing card metadata, card byte cap, release-owned changelog removal, fail-closed malformed decisions, lockfile-corroborated installed origin metadata, method reachability, token-safe passive verdict fetches, lazy/symlink-safe local card reads, provenance install-dir/registry checks, non-blocking verdict refresh, and stale Skill Card cache guards
• final read-only subagent review: no blocking findings after fixes
• final autoreview remaining finding rejected as an expected cross-repo dependency on Add bulk skill security verdicts endpoint clawhub#2404, verified in that ClawHub branch

Agent Transcript

Redacted Codex session transcript: Add ClawHub skill verification and trust surfaces

source: [LOCAL_SESSION]
redaction: local paths, emails, phone-shaped strings, token-shaped strings, auth headers, auth query params
omitted: raw tool outputs, system/developer prompts, local paths, secrets, browser/session/auth details, unrelated turns
scope: selected PR-relevant turns only

[user]
Linked the earlier draft OpenClaw PR and the merged ClawHub Skill Card work, then asked to mirror the current ClawHub CLI behavior in OpenClaw so users can verify a skill.

[assistant]
Grounded the work in the newer ClawHub contract rather than the stale draft. Identified the OpenClaw work as a consumer-side implementation for ClawHub `/verify` plus Skill Card behavior, with installed-skill resolution from ClawHub origin metadata.

[user]
Asked whether ClawHub's hashing fixes for generated `skill-card.md` would affect OpenClaw.

[assistant]
Decided OpenClaw verification should not recompute local bundle hashes. The installed bundle may contain generated `skill-card.md`, but OpenClaw should resolve the installed slug/version from local provenance and trust ClawHub's verification envelope. Added a regression requirement so local generated cards do not cause source-fingerprint mismatch failures.


[user]
Clarified the CLI surface: mirror `--version`, `--tag`, and `--card`; remove `--json` because JSON is already the default.

[assistant]
Implemented the OpenClaw CLI work test-first. Added ClawHub client helpers for the current `/verify` and card fetch contracts, installed-origin target resolution, `openclaw skills verify`, JSON-default output, `--card`, failure exit behavior, and generated `skill-card.md` regression coverage.

[assistant]
During review, accepted and fixed trust-surface findings: `--card` must fetch the exact verified `card.url`, card downloads must be bounded, and successful verification must require both `ok === true` and `decision === "pass"`. Reran focused tests and changed-file gates after each fix.

[user]
Asked how the Control UI should show security scan info and the Skill Card, and whether OpenClaw should fetch full scan details from ClawHub at page load.

[assistant]
Separated the authority boundaries:
- disk state proves install provenance and can provide local `skill-card.md`;
- ClawHub remains the runtime authority for the current security verdict;
- ClawHub remains the UI owner for the full security report.

[user]
Asked whether OpenClaw would need `n` requests to refresh verdicts for many installed skills and whether a bulk endpoint was needed.

[assistant]
Recommended a new ClawHub bulk security verdict endpoint rather than per-skill verify calls or full scan fetches. The endpoint should return compact top-level verdicts for exact `{ slug, version }` pairs, and OpenClaw should render only the minimal verdict summary plus a link to the full ClawHub report.

[user]
Confirmed that OpenClaw should not fetch card data remotely because installed ClawHub skills already have local `skill-card.md`.

[assistant]
Updated the design accordingly: Control UI reads the Skill Card from disk, fetches only current security verdicts from ClawHub, avoids maintaining a duplicate scanner UI, and links out to ClawHub for details.

[assistant]
Implemented the OpenClaw UI/gateway side. Added ClawHub linkage and local Skill Card metadata to skills status, new gateway methods for bulk `skills.securityVerdicts` and lazy local `skills.skillCard`, protocol models, UI controller caching/loading, and Skills view rendering for verdict overview, full security report link, and the Skill Card tab.

[assistant]
Collected local proof with `openclaw/discrawl@1.0.0`: installed the skill, confirmed local `skill-card.md` and ClawHub origin metadata, verified the production bulk verdict returned `pass` / `clean`, and confirmed the source gateway rendered the verdict overview and Skill Card tab. Saved UI screenshots for PR proof.

[tool summary]
Local-only transcript render; raw tool outputs omitted. Relevant implementation proof included targeted Vitest shards, changed-file gates, autoreview fixes, protocol generation, and browser verification of the OpenClaw Skills UI against a locally running source gateway.

[clawsweeper]

Codex review: found issues before merge. Reviewed May 27, 2026, 3:10 PM ET / 19:10 UTC.

Summary
The PR adds ClawHub skill verification CLI support, ClawHub trust/card helpers, new skills gateway methods/protocol models, Control UI verdict and Skill Card rendering, docs, and tests.

PR surface: Source +1679, Tests +2095, Docs +31, Other +80. Total +3885 across 32 files.

Reproducibility: yes. for the review finding: source inspection shows --card reads card.url from the verification envelope and fetchClawHubSkillCard follows absolute off-registry URLs. I did not run the PR because this is a read-only review.

Review metrics: 1 noteworthy metric.

• New trust surfaces: 1 CLI command, 2 gateway methods. The PR adds operator-visible verification and protocol methods on a security/trust boundary, so maintainers should review the API and threat model before merge.

Merge readiness
Overall: 🧂 unranked krab
Proof: 🦞 diamond lobster
Patch quality: 🧂 unranked krab
Result: blocked by patch quality or review findings.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Bind generated-card fetches to the selected registry or documented allowlist and add an off-registry rejection test.
• Rerun the focused CLI, ClawHub helper, gateway, UI, protocol, and i18n checks already listed in the PR after the security-boundary repair.

Mantis proof suggestion
The Control UI trust verdict and Skill Card tab are visible behavior that would benefit from a short maintainer-run visual proof after the security fix. A maintainer can ask Mantis to capture proof by posting a new PR comment that starts with the OpenClaw Mantis account mention, followed by:

visual task: verify an installed ClawHub skill shows the Clean verdict, Full security report link, and Skill Card tab in the Skills detail view.

Risk before merge

• The current --card path can make an operator machine fetch an arbitrary absolute URL supplied by a ClawHub verification response; suppressing auth avoids credential leakage but does not close the registry trust boundary.
• This PR carries the protected maintainer label and a security-boundary merge risk, so the card URL policy needs explicit maintainer comfort even after the narrow repair.

Maintainer options:

1. Bind Card Fetches To Registry (recommended)
   Require verified Skill Card URLs to resolve under the selected ClawHub registry or a documented allowlist, and add a regression that rejects off-registry absolute URLs.
2. Own Delegated Card Hosting
   Maintainers could explicitly accept delegated card hosting, but that should be documented as part of the ClawHub verification contract before merging.
3. Pause For ClawHub Contract
   If CDN or external card hosting is required, pause this PR until ClawHub exposes a registry-owned card URL or signed redirect contract OpenClaw can enforce.

Copy recommended automerge instruction

@clawsweeper automerge

Special instructions:
Constrain `fetchClawHubSkillCard`/`readVerifiedSkillCardUrl` so `--card` only fetches same-registry HTTPS card URLs for the verified slug/version, add a regression rejecting off-registry absolute URLs, and keep Authorization from being sent to non-registry origins.

Next step before merge
The remaining blocker is a concrete security-boundary repair plus maintainer agreement on the permanent card URL policy, so this should stay with the author/maintainer review path rather than be swept closed.

Security
Needs attention: The diff adds useful trust surfaces, but the generated-card fetch path still crosses the registry boundary by following arbitrary verification-provided URLs.

Review findings

• [P1] Reject off-registry Skill Card URLs — src/infra/clawhub.ts:1035-1038

Review details

Best possible solution:

Bind Skill Card downloads to the selected ClawHub registry or an explicit maintainer-approved allowlist, add an off-registry rejection regression, then rerun the targeted trust-surface tests before maintainer review.

Do we have a high-confidence way to reproduce the issue?

Yes for the review finding: source inspection shows --card reads card.url from the verification envelope and fetchClawHubSkillCard follows absolute off-registry URLs. I did not run the PR because this is a read-only review.

Is this the best way to solve the issue?

No: the feature direction is strong, but the card-fetch implementation should enforce the registry trust boundary before merge. The safer path is to keep the local Skill Card UI design and bind remote generated-card fetches to registry-owned URLs.

Full review comments:

• [P1] Reject off-registry Skill Card URLs — src/infra/clawhub.ts:1035-1038
fetchClawHubSkillCard still accepts the verification envelope's absolute card.url and fetches it even when it points outside the selected ClawHub registry; it only suppresses auth for a different origin. That lets a compromised or misconfigured registry turn openclaw skills verify --card into an arbitrary outbound fetch from the operator machine. Bind this to the registry-owned card endpoint or an explicit allowlist and add a rejection test for off-registry URLs.
  Confidence: 0.88

Overall correctness: patch is incorrect
Overall confidence: 0.88

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 2f710f560450.

Label changes

Label justifications:

• P2: This is a normal-priority feature PR with a focused security-boundary blocker rather than an active user regression.
• merge-risk: 🚨 security-boundary: Merging as-is would let a ClawHub verification response drive outbound Skill Card fetches from the operator machine outside the selected registry.
• rating: 🧂 unranked krab: Overall readiness is 🧂 unranked krab; proof is 🦞 diamond lobster and patch quality is 🧂 unranked krab.
• status: ⏳ waiting on author: ClawSweeper has contributor-facing work open and is waiting for author action. Sufficient (live_output): The PR body includes after-fix live output from a local source gateway and Control UI against an installed production ClawHub skill, plus observed verdict/card behavior; contributors should continue redacting private paths, endpoints, keys, phone numbers, and similar details in future proof.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body includes after-fix live output from a local source gateway and Control UI against an installed production ClawHub skill, plus observed verdict/card behavior; contributors should continue redacting private paths, endpoints, keys, phone numbers, and similar details in future proof.

Evidence reviewed

PR surface:

Source +1679, Tests +2095, Docs +31, Other +80. Total +3885 across 32 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	18	1720	41	+1679
Tests	11	2107	12	+2095
Docs	2	42	11	+31
Config	0	0	0	0
Generated	0	0	0	0
Other	1	80	0	+80
Total	32	3949	64	+3885

Security concerns:

• [medium] Off-registry Skill Card fetch — src/infra/clawhub.ts:1035
  The helper follows absolute card.url values from the verification response, so a registry can cause OpenClaw to fetch non-registry URLs from the operator environment; suppressing Authorization does not remove the outbound request/security-boundary concern.
  Confidence: 0.88

What I checked:

• Root and scoped policy read: Read the full root AGENTS.md plus scoped guides for docs, agents, gateway, gateway protocol, gateway server methods, UI, and scripts; the security-boundary and additive protocol guidance applies to this PR. (AGENTS.md:1, 2f710f560450)
• CLI card path follows verified response URL: openclaw skills verify --card reads card.url from the verification response and passes it to fetchClawHubSkillCard with the selected registry as base. (src/cli/skills-cli.ts:386, 85a7c2926360)
• Helper permits off-registry card fetches: fetchClawHubSkillCard accepts an absolute url and sends it to clawhubRequest; the only off-origin guard is suppressing auth, not rejecting non-registry URLs. (src/infra/clawhub.ts:1035, 85a7c2926360)
• Regression currently blesses off-registry cards: The PR test suite expects fetchClawHubSkillCard to fetch https://cards.example.test/... while the selected base URL is https://clawhub.ai, confirming the behavior is intentional in the patch rather than a missing test case. (src/infra/clawhub.test.ts:467, 85a7c2926360)
• Bulk verdict dependency contract checked: The merged ClawHub dependency documents POST /api/v1/skills/-/security-verdicts as security-only and explicitly excludes Skill Card data, matching the PR's local-card UI design. (667bc55299c4)
• Real behavior proof present: The PR body reports a live local OpenClaw workspace with openclaw/discrawl@1.0.0, source gateway calls to skills.status, skills.securityVerdicts, and skills.skillCard, Control UI rendering, and copied live output showing the production verdict payload. (85a7c2926360)

Likely related people:

• Patrick-Erichsen: Authored prior merged skill install work on current main that owns the src/agents/skills-clawhub.ts path and is directly adjacent to the verification target-resolution changes. (role: recent area contributor; confidence: high; commits: c0312748c4f7; files: src/agents/skills-clawhub.ts, src/cli/skills-cli.ts)
• steipete: Recent current-main history shows broad refactors and UI/gateway work touching the affected infra, gateway, and Skills dialog surfaces. (role: recent adjacent owner; confidence: medium; commits: 77d9ac30bb8d, 756379b11ddf, b33ce7a37104; files: src/infra/clawhub.ts, src/gateway/server-methods/skills.ts, ui/src/ui/views/skills.ts)
• vincentkoc: Recent current-main and local blame history both point to ClawHub infra maintenance around malformed marketplace/ClawHub client handling. (role: adjacent infra contributor; confidence: medium; commits: eb07aba9731b; files: src/infra/clawhub.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[clawsweeper]

ClawSweeper PR egg

🔥 Warming up: real-behavior proof passed; findings, security review, or rank-up moves are still in progress.

Hatch command

Comment @clawsweeper hatch when this PR is hatchable.

Hatchability rules:

• Merged PRs are hatchable.
• Open PRs are hatchable when they are status: 👀 ready for maintainer look, status: 🚀 automerge armed, or labeled clawsweeper:automerge.
• Closed unmerged PRs are hatchable only when one of those hatchable labels is still present in the durable record.

What is this egg doing here?

• Eggs appear after the PR passes real-behavior proof. It is here for vibes, not verdicts: it does not change labels, ratings, merge decisions, or automation.
• The shell reacts to review momentum: open follow-up work warms it up, re-review makes it wobble, and a clean final review lets it hatch.
• Hatchability usually comes from sufficient real-behavior proof, no blocking P0/P1/P2 findings, no security attention needed, and clean correctness. A merged PR is already final, so merge makes the egg hatchable independently.
• The hatch is seeded from this repository and PR number, so the same PR keeps the same creature; the reviewed head SHA can only change safe visual details.
• Rarity is just collectible sparkle: 🥚 common, 🌱 uncommon, 💎 rare, ✨ glimmer, and 🌈 legendary.

[Patrick-Erichsen]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26474255905
• Updated: 2026-05-26T20:55:13.202Z

[Patrick-Erichsen]

/clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

Re-review progress:

• State: Superseded
• Detail: A newer re-review for this item started before this run finished, so GitHub cancelled this older run. Check the latest ClawSweeper run for the current result.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26524333906
• Updated: 2026-05-27T16:31:16.622Z

[Patrick-Erichsen]

/clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26526754017
• Updated: 2026-05-27T17:22:34.893Z

[socket-security]

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request