feat: moderation v2 trust verification pipeline#332
feat: moderation v2 trust verification pipeline#332ArthurzKV wants to merge 1 commit intoopenclaw:mainfrom
Conversation
|
@ArthurzKV is attempting to deploy a commit to the Amantus Machina Team on Vercel. A member of the Team first needs to authorize it. |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| const identityText = `${input.slug}\n${input.displayName}\n${input.summary ?? ""}`; | ||
| if (/keepcold131\/ClawdAuthenticatorTool|ClawdAuthenticatorTool/i.test(identityText)) { | ||
| addFinding(findings, { | ||
| code: REASON_CODES.KNOWN_BLOCKED_SIGNATURE, | ||
| severity: "critical", | ||
| file: "metadata", | ||
| line: 1, | ||
| message: "Matched a known blocked malware signature.", | ||
| evidence: identityText, | ||
| }); |
There was a problem hiding this comment.
Hardcoded malware signature (keepcold131/ClawdAuthenticatorTool) is embedded directly in the scanning logic. Consider moving known signatures to a configuration file or database table to allow updates without code deployment.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
Prompt To Fix With AI
This is a comment left during a code review.
Path: convex/lib/moderationEngine.ts
Line: 253:262
Comment:
Hardcoded malware signature (`keepcold131/ClawdAuthenticatorTool`) is embedded directly in the scanning logic. Consider moving known signatures to a configuration file or database table to allow updates without code deployment.
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise.
Additional Comments (1)
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time! Prompt To Fix With AIThis is a comment left during a code review.
Path: packages/clawdhub/src/security/staticScan.ts
Line: 1:228
Comment:
Static scanning logic is duplicated between this CLI implementation and `convex/lib/moderationEngine.ts` (server). The reason codes match correctly, but future changes to detection patterns require manual synchronization across both files. Consider extracting shared scanning logic to a shared package or generating one implementation from the other to reduce maintenance burden.
<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>
How can I resolve this? If you propose a fix, please make it concise. |
1 participant
Summary
Implements moderation/verification v2 across schema, engine, publish pipeline, API, CLI, UI, and backfill flow.
What changed
skillsand deterministicstaticScanpayload onskillVersions.GET /api/v1/skills/:slugadditive moderation fields (verdict,reasonCodes,updatedAt,engineVersion,summary).GET /api/v1/skills/:slug/moderationdetailed evidence endpoint with owner/staff vs public behavior.inspect --moderationfor detailed structured moderation output.Compatibility
Validation
Greptile Summary
Implements moderation v2 trust verification across the full stack (schema, engine, API, CLI, UI). Adds normalized
moderationVerdict,moderationReasonCodes, andmoderationEvidencefields to skills, with deterministicstaticScanpayload on skill versions. Replaces keyword-only heuristics with context-aware static analyzers and explicit verdict policy merging static + VT + LLM signals.Major changes:
GET /api/v1/skills/:slug/moderationendpoint with owner/staff vs public access control--moderationflag for inspect command and local static verification on install/updateKey observations:
convex/lib/moderationEngine.ts) and CLI (packages/clawdhub/src/security/staticScan.ts), requiring manual synchronization for future updatesConfidence Score: 4/5
Last reviewed commit: 2b9acf5
(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!