Expose VirusTotal scan verdict in API and CLI inspect output

[VACInc]

Problem

The ClawHub VirusTotal integration scans skills server-side, but the scan verdict is not exposed in the public API or CLI. When running clawhub inspect --json <slug>, the returned metadata includes skill, owner, latestVersion, etc. — but no scan/moderation status.

This makes it impossible for users and agents to programmatically enforce "only install scanned/approved skills" without manually checking the web UI.

Current workaround

A wrapper script around clawhub install that checks the publisher against a trusted allowlist. This is fragile and doesn't leverage the VirusTotal scanning that's already happening.

Proposed solution

Add scan verdict fields to the skill metadata returned by:

1. API (/api/skills/<slug>) — e.g. a moderation or virusTotal object with:

   • scanStatus: pending | scanned | not_scanned
   • verdict: benign | suspicious | malicious
   • lastScanned: ISO timestamp

2. CLI (clawhub inspect --json <slug>) — surface the same fields

3. (Nice to have) A clawhub install --require-scanned flag (or env var CLAWHUB_REQUIRE_SCANNED=1) that blocks installation of unscanned or malicious skills at the CLI level.

Why this matters

Users who disabled ClawHub over security concerns (like me) want to re-enable it with confidence. The VirusTotal integration is great — but without API access to the verdicts, we can't build automated guardrails around it.

Environment

• clawhub CLI v0.5.0
• OpenClaw 2026.2.9

[VACInc]

#537