From 05ec549e3d0682c339125fa5965f4ef356ea31c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=A8=8B=E5=BA=8F=E5=91=98=E9=98=BF=E6=B1=9F=28Relakkes?= =?UTF-8?q?=29?= Date: Fri, 3 Jul 2026 17:25:12 +0800 Subject: [PATCH] fix: avoid misleading clawhub scan summaries Tested: bun test src/server/__tests__/skill-market.test.ts Tested: git diff --check Confidence: high Scope-risk: narrow --- src/server/__tests__/skill-market.test.ts | 26 +++++++++++++++++++ .../services/skillMarket/clawhubAdapter.ts | 4 +-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/src/server/__tests__/skill-market.test.ts b/src/server/__tests__/skill-market.test.ts index 84223ab7..f8d3b100 100644 --- a/src/server/__tests__/skill-market.test.ts +++ b/src/server/__tests__/skill-market.test.ts @@ -70,6 +70,32 @@ describe('skill market source normalization', () => { }) }) + it('does not use clean ClawHub scanner summaries for blocked scans', () => { + expect(normalizeClawHubScan({ + status: 'malicious', + scanners: { + metadata: { status: 'clean', summary: 'No dangerous patterns detected.' }, + }, + })).toEqual({ + trustState: 'blocked', + trustSummary: undefined, + packageSha256: undefined, + }) + }) + + it('does not use clean ClawHub scanner summaries for warning scans', () => { + expect(normalizeClawHubScan({ + status: 'suspicious', + scanners: { + metadata: { status: 'clean', summary: 'No dangerous patterns detected.' }, + }, + })).toEqual({ + trustState: 'warning', + trustSummary: undefined, + packageSha256: undefined, + }) + }) + it('normalizes SkillHub list items as fallback candidates with Chinese summary', () => { const result = normalizeSkillHubList(SKILLHUB_TOP_SKILLS_RESPONSE) diff --git a/src/server/services/skillMarket/clawhubAdapter.ts b/src/server/services/skillMarket/clawhubAdapter.ts index 8f57569a..dee49dba 100644 --- a/src/server/services/skillMarket/clawhubAdapter.ts +++ b/src/server/services/skillMarket/clawhubAdapter.ts @@ -67,14 +67,14 @@ export function normalizeClawHubScan(payload: ClawHubScanResponse): { if (payload.status === 'malicious' || payload.status === 'blocked') { return { trustState: 'blocked', - trustSummary: scannerSummaryForStatuses(['malicious', 'blocked']) ?? scannerSummary, + trustSummary: scannerSummaryForStatuses(['malicious', 'blocked']), packageSha256: payload.sha256, } } if (payload.status === 'suspicious' || payload.hasWarnings) { return { trustState: 'warning', - trustSummary: scannerSummaryForStatuses(['suspicious', 'warning']) ?? scannerSummary, + trustSummary: scannerSummaryForStatuses(['suspicious', 'warning']), packageSha256: payload.sha256, } }