[fix] show moderation status on plain clawhub inspect

[edenfunf]

What's the problem?

Running clawhub inspect <skill> without any flags never shows the security status, even though the API always returns it.

If you try with --version 1.2.3 you'll see the security block — but that requires knowing a version number upfront. For a quick sanity check, you shouldn't have to do that.

Related to #1483.

Why does it happen?

The existing printSecuritySummary call is gated behind versionResult?.version:

if (shouldPrintMeta && versionResult?.version) {
  printVersionSummary(versionResult.version);
  printSecuritySummary(versionResult.version);   // never runs on plain inspect
}

versionResult is only populated when --version, --tag, --files, or --file is passed. Without those flags it stays null, and the skill's moderation object — which the API always returns — is fetched but never displayed.

What I changed

Added a printModerationSummary function that reads the skill-level moderation object (verdict, isSuspicious, isMalwareBlocked, updatedAt, engineVersion) and prints it in the else if (shouldPrintMeta) branch, so the security line is always visible on a basic inspect:

$ clawhub inspect some-skill
some-skill  Some Skill
Owner: someone
...
Security: SUSPICIOUS
Suspicious: yes
Checked: 2024-01-15T10:30:00.000Z
Engine: v2

When no moderation data comes back from the API the block is a no-op, so existing behaviour for older responses is unchanged.

How I verified it

• Added three unit tests to inspect.test.ts:
  1. Suspicious skill with full moderation data → all fields printed correctly
  2. Clean skill → Security: CLEAN, no suspicious/malware lines
  3. No moderation field in response → security block not printed at all
• Ran the full clawdhub test suite: 176/176 passed

[vercel]

@edenfunf is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.

[greptile-apps]

Greptile Summary

This PR fixes a gap where running clawhub inspect <skill> without version flags never showed the security/moderation status. The fix adds a new printModerationSummary function that reads the skill-level moderation field (always returned by the API) and prints it in the else if (shouldPrintMeta) branch. The approach is correct and the three new tests cover the expected cases well.

Two issues were found:

• moderation omitted from --json output — the output object built before the options.json branch does not include skillResult.moderation, so machine-readable consumers using --json still don't receive moderation data after this fix. The human-readable path is fixed but the JSON path is not.
• Contradictory output when verdict is absent — moderation.verdict ?? \"clean\" defaults the security line to CLEAN even when isSuspicious: true and verdict is null/undefined (a valid state per the schema), producing Security: CLEAN + Suspicious: yes in the same output. Deriving the fallback from the boolean flags avoids this.

Confidence Score: 3/5

Safe to merge for the human-readable path, but JSON output still incomplete and a minor contradictory-display edge case exists.

The core fix is correct and well-tested. However, the output object used by --json mode was not updated, leaving a functional gap for programmatic consumers. The verdict ?? "clean" fallback can also produce internally inconsistent output for edge-case API responses. Neither issue is a regression from the pre-PR state, but both are worth addressing before merging.

packages/clawdhub/src/cli/commands/inspect.ts — output object (lines 120–127) and printModerationSummary verdict fallback (line 313)

Comments Outside Diff (1)

1. packages/clawdhub/src/cli/commands/inspect.ts, line 120-127 (link)

   moderation missing from JSON output

   The output object built for --json mode omits skillResult.moderation, so clawhub inspect some-skill --json still won't include any moderation data after this fix — only the human-readable path benefits. Since the goal is to always surface the security status, the JSON output should be kept consistent.

   Prompt To Fix With AI

   This is a comment left during a code review.
   Path: packages/clawdhub/src/cli/commands/inspect.ts
   Line: 120-127
   
   Comment:
   **`moderation` missing from JSON output**
   
   The `output` object built for `--json` mode omits `skillResult.moderation`, so `clawhub inspect some-skill --json` still won't include any moderation data after this fix — only the human-readable path benefits. Since the goal is to always surface the security status, the JSON output should be kept consistent.
   
   
   
   How can I resolve this? If you propose a fix, please make it concise.

Prompt To Fix All With AI

This is a comment left during a code review.
Path: packages/clawdhub/src/cli/commands/inspect.ts
Line: 120-127

Comment:
**`moderation` missing from JSON output**

The `output` object built for `--json` mode omits `skillResult.moderation`, so `clawhub inspect some-skill --json` still won't include any moderation data after this fix — only the human-readable path benefits. Since the goal is to always surface the security status, the JSON output should be kept consistent.

```suggestion
    const output = {
      skill: skillResult.skill,
      latestVersion: skillResult.latestVersion,
      owner: skillResult.owner,
      moderation: skillResult.moderation ?? null,
      version: versionResult?.version ?? null,
      versions: versionsList?.items ?? null,
      file: options.file ? { path: options.file, content: fileContent } : null,
    };
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: packages/clawdhub/src/cli/commands/inspect.ts
Line: 313

Comment:
**Misleading output when `verdict` is absent but `isSuspicious` is true**

`moderation.verdict ?? "clean"` defaults to `"clean"` when `verdict` is `null` or `undefined`. Because `verdict` is optional in `ApiV1SkillResponseSchema`, a response with `isSuspicious: true` but no `verdict` field would print `Security: CLEAN` followed immediately by `Suspicious: yes` — a contradictory pair of lines. Preferring the boolean flags as a fallback is safer:

```suggestion
  const verdict = moderation.verdict ?? (moderation.isMalwareBlocked ? "malicious" : moderation.isSuspicious ? "suspicious" : "clean");
```

How can I resolve this? If you propose a fix, please make it concise.

_{Reviews (1): Last reviewed commit: "[fix] show moderation status on plain cl..." | Re-trigger Greptile}

[ImLukeF]

Thanks for the thoughtful fix here — the behavior you pointed out makes sense.

We’re going to close this one for now because we don’t want to add more default output to plain clawhub inspect unless it’s clearly necessary. For the common case, always surfacing the moderation/security block would add noise to what is meant to be a quick metadata view.

So this is less about the implementation and more about the product choice: we’d rather keep the default inspect output lean unless we decide to introduce a more explicit security-focused view later.

Appreciate the contribution.