@lowwattlabs/clawsec 2.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Low Watt Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,223 @@
+# ⚡ ClawSec
+
+Security verification tool that scans ClawHub skills against 10 continuously-updated threat intelligence sources using 7 autonomous security checks.
+
+If you find it useful, [buy me a coffee](https://buymeacoffee.com/lowwattlabs) ⚡
+
+## Quick Start
+
+```bash
+# Install globally via npm
+npm install -g @lowwattlabs/clawsec
+
+# Scan a local skill directory
+clawsec scan ./my-skill
+
+# Scan with JSON output
+clawsec scan ./my-skill --json
+
+# Sync threat intel
+clawsec sync
+
+# Check intel cache status
+clawsec status
+```
+
+First run automatically sets up a Python venv at `~/.clawsec/venv/` and installs dependencies.
+
+## Docker
+
+```bash
+# Build
+docker build -t lowwattlabs/clawsec .
+
+# Run
+docker run -p 3100:3100 lowwattlabs/clawsec
+
+# Scan via API inside container
+docker run lowwattlabs/clawsec clawsec scan /path/to/skill
+```
+
+## CLI Usage
+
+```bash
+# Verify a skill
+clawsec scan ./my-skill
+clawsec scan ./my-skill --json        # JSON output
+clawsec scan ./my-skill --checks=dep-scan,secret-scan  # Run specific checks
+
+# Scan by ClawHub slug
+clawsec scan my-awesome-skill
+
+# Refresh intel cache
+clawsec sync                          # All sources
+clawsec sync cisa-kev epss            # Specific sources
+
+# Check cache status
+clawsec status
+clawsec status --json                 # JSON output
+
+# View saved report
+clawsec report abc12345
+clawsec report abc12345 --json        # JSON output
+```
+
+**Exit codes:** 0 = pass, 1 = warn, 2 = fail
+
+## API Usage
+
+### Start the API server
+
+```bash
+# Via npm global install
+clawsec-api
+
+# Or directly
+node api/src/server.js
+
+# With custom config
+CLAWSEC_HOME=~/.clawsec CLAWSEC_PORT=3100 clawsec-api
+```
+
+### API endpoints
+
+```bash
+# Scan by path
+curl -X POST http://localhost:3100/api/v1/scan \
+  -H "Content-Type: application/json" \
+  -d '{"path": "/path/to/skill"}'
+
+# Scan by ClawHub slug
+curl -X POST http://localhost:3100/api/v1/scan \
+  -H "Content-Type: application/json" \
+  -d '{"slug": "my-skill"}'
+
+# Scan by content
+curl -X POST http://localhost:3100/api/v1/scan \
+  -H "Content-Type: application/json" \
+  -d '{"content": {"SKILL.md": "# My Skill\n..."}}'
+
+# Get report
+curl http://localhost:3100/api/v1/report/{id}
+
+# Get trust badge
+curl http://localhost:3100/api/v1/badge/{id}.svg
+
+# Cache status
+curl http://localhost:3100/api/v1/status
+
+# Health check
+curl http://localhost:3100/health
+```
+
+## Security Checks (7)
+
+1. **Dependency Scan** — Matches declared dependencies against OSV, flags CISA KEV as critical, ranks by EPSS probability
+2. **Static Analysis** — Semgrep with community rules for code vulnerabilities
+3. **Secret Scan** — Gitleaks for leaked API keys, tokens, credentials
+4. **YARA Scan** — Neo23x0 signature-base rules for malware/packer/suspicious patterns
+5. **IOC Match** — Extracts URLs/IPs/domains/hashes, matches against URLhaus/ThreatFox/Feodo/MalwareBazaar
+6. **Behavioral Heuristics** — Flags shell injection, system writes, fetch-exec, large base64 payloads, capability overreach
+7. **Prompt Injection** — Detects instruction overrides, role manipulation, safety bypasses in SKILL.md
+
+## Intel Sources (9)
+
+| Source | Type | Records | Update Frequency |
+|--------|------|---------|-----------------|
+| CISA KEV | Known Exploited Vulnerabilities | ~1,600 | Daily |
+| OSV (npm + PyPI) | Open Source Vulnerabilities | ~219,000 | Daily |
+| EPSS | Exploit Prediction Scoring | ~334,000 | Daily |
+| MalwareBazaar | Malware hashes + samples | ~3,500 | Daily |
+| URLhaus | Malicious URLs | ~15,400 | Daily |
+| ThreatFox | IOCs (IPs, domains, hashes) | ~3,200 | Daily |
+| Feodo Tracker | C2 IP addresses | ~6 | Daily |
+| YARA Rules (Neo23x0) | Malware/signature detection | ~746 rules | Daily |
+| Semgrep Rules | Static analysis rules | ~2,183 rules | Daily |
+
+All data cached under `~/.clawsec/intel/` with atomic writes and graceful degradation on failure.
+
+## Configuration
+
+ClawSec uses environment variables with sensible defaults:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `CLAWSEC_HOME` | `~/.clawsec` | Root directory for venv, intel, reports |
+| `CLAWSEC_INTEL_DIR` | `~/.clawsec/intel` | Intel cache directory |
+| `CLAWSEC_REPORTS_DIR` | `~/.clawsec/reports` | Reports directory |
+| `CLAWSEC_PORT` | `3100` | API server port |
+
+## Local Development
+
+```bash
+git clone https://github.com/jchandler187/clawsec.git
+cd clawsec
+./setup.sh          # Installs system deps + Python venv
+clawsec sync        # Populate intel cache (first run takes a few minutes for OSV)
+clawsec scan ./path # Verify a skill
+```
+
+## Architecture
+
+```
+clawsec/
+├── bin/
+│   ├── clawsec.js       (CLI entry point)
+│   ├── clawsec-api.js   (API entry point)
+│   └── setup-venv.js    (postinstall venv setup)
+├── api/
+│   └── src/
+│       ├── server.js     (Express server, port 3100)
+│       ├── routes.js     (API routes)
+│       ├── middleware.js  (Rate limiting + auth)
+│       ├── badge.js      (SVG trust badge generator)
+│       └── verify-wrapper.sh
+├── cli/
+│   └── clawsec.py       (Python CLI)
+├── lib/
+│   ├── intel-sync/       (Intel cache synchronization)
+│   │   ├── sync.sh        (Main sync orchestrator)
+│   │   ├── sources/       (Per-source sync scripts)
+│   │   └── manifest.py    (Cache manifest management)
+│   ├── skill-verify/      (Skill verification engine)
+│   │   ├── verify.sh      (Main verify orchestrator)
+│   │   ├── checks/         (7 security check scripts)
+│   │   └── report.py       (Report generation & storage)
+│   └── common/            (Shared utilities + config)
+├── Dockerfile
+├── package.json
+├── requirements.txt
+├── setup.sh
+└── README.md
+```
+
+## What ClawSec DOES Check
+
+- **Known vulnerabilities in declared dependencies** (OSV + CISA KEV + EPSS)
+- **Static code patterns** — shell injection, eval, exec, path traversal, system writes (Semgrep + behavioral heuristics)
+- **Leaked secrets and credentials** — API keys, tokens, passwords (Gitleaks)
+- **Known malware signatures** — YARA rules matching packers, ransomware, suspicious binaries
+- **Threat intel IOC matches** — URLs, IPs, domains, and hashes from URLhaus, ThreatFox, Feodo, MalwareBazaar
+- **Prompt injection attempts** — instruction overrides, role manipulation, jailbreak patterns in SKILL.md
+- **Large encoded payloads** — suspicious base64 blobs above 2KB that decode to binary content
+
+## What ClawSec Does NOT Check
+
+- String concatenation obfuscation
+- Lazy-loaded payloads (partially caught via eval/evalSub)
+- Conditional/time-bomb behavior
+- Dependency confusion/typo squatting
+- Runtime behavior (requires dynamic analysis)
+- Transitive vulnerabilities
+- Novel/zero-day threats not in any feed
+
+## Intel Cache Staleness
+
+- **30+ days stale** → Warning (results may be outdated)
+- **90+ days stale** → Critical failure (results unreliable, resync required)
+
+Run `clawsec sync` to refresh stale intel sources.
+
+## License
+
+MIT — Low Watt Labs ⚡

package/api/public/index.html

@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>ClawSec — Skill Security Verification</title>
+    <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body {
+            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Helvetica, Arial, sans-serif;
+            background: #0d1117; color: #c9d1d9; line-height: 1.6;
+        }
+        .container { max-width: 800px; margin: 0 auto; padding: 0 24px; }
+        header { padding: 48px 0 32px; text-align: center; }
+        h1 { font-size: 2.4em; color: #f0f6fc; margin-bottom: 8px; }
+        h1 span { color: #2ea043; }
+        .tagline { color: #8b949e; font-size: 1.1em; }
+        .badges { display: flex; gap: 12px; justify-content: center; margin: 24px 0; flex-wrap: wrap; }
+        .badge { background: #161b22; border: 1px solid #21262d; border-radius: 8px; padding: 12px 20px; }
+        .badge-label { color: #8b949e; font-size: 0.8em; text-transform: uppercase; letter-spacing: 0.5px; }
+        .badge-value { color: #f0f6fc; font-weight: 600; font-size: 1.2em; }
+        .checks { padding: 32px 0; }
+        .check { display: flex; align-items: baseline; padding: 8px 0; border-bottom: 1px solid #21262d; }
+        .check-icon { color: #2ea043; font-weight: 700; margin-right: 12px; font-size: 1.1em; }
+        .check-name { color: #f0f6fc; font-weight: 600; min-width: 180px; }
+        .check-desc { color: #8b949e; }
+        .cta { text-align: center; padding: 40px 0; }
+        .cta a {
+            display: inline-block; background: #2ea043; color: #fff; padding: 14px 32px;
+            border-radius: 8px; text-decoration: none; font-weight: 600; font-size: 1.1em;
+        }
+        .cta a:hover { background: #3fb950; }
+        .coffee { margin-top: 16px; }
+        .coffee a { color: #d4a72c; text-decoration: none; font-size: 0.95em; }
+        .coffee a:hover { text-decoration: underline; }
+        .footer { text-align: center; padding: 32px 0; color: #484f58; font-size: 0.85em; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <header>
+            <h1>⚡ Claw<span>Sec</span></h1>
+            <p class="tagline">Security verification for ClawHub skills</p>
+        </header>
+
+        <div class="badges">
+            <div class="badge">
+                <div class="badge-label">Checks</div>
+                <div class="badge-value">7</div>
+            </div>
+            <div class="badge">
+                <div class="badge-label">Intel Sources</div>
+                <div class="badge-value">9</div>
+            </div>
+            <div class="badge">
+                <div class="badge-label">License</div>
+                <div class="badge-value">MIT</div>
+            </div>
+            <div class="badge">
+                <div class="badge-label">Cost</div>
+                <div class="badge-value">Free</div>
+            </div>
+        </div>
+
+        <div class="checks">
+            <div class="check"><span class="check-icon">✓</span><span class="check-name">Dependency Scan</span><span class="check-desc">OSV + CISA KEV + EPSS — known vulnerabilities in declared deps</span></div>
+            <div class="check"><span class="check-icon">✓</span><span class="check-name">Static Analysis</span><span class="check-desc">Semgrep community rules — shell injection, path traversal, system writes</span></div>
+            <div class="check"><span class="check-icon">✓</span><span class="check-name">Secret Scan</span><span class="check-desc">Gitleaks + credential heuristics — leaked keys, tokens, passwords</span></div>
+            <div class="check"><span class="check-icon">✓</span><span class="check-name">YARA Scan</span><span class="check-desc">Neo23x0 signature-base — malware, packers, suspicious binaries</span></div>
+            <div class="check"><span class="check-icon">✓</span><span class="check-name">IOC Match</span><span class="check-desc">URLhaus + ThreatFox + Feodo + MalwareBazaar — malicious URLs, IPs, hashes</span></div>
+            <div class="check"><span class="check-icon">✓</span><span class="check-name">Behavioral</span><span class="check-desc">Shell injection, eval, fetch-exec, large base64, capability overreach</span></div>
+            <div class="check"><span class="check-icon">✓</span><span class="check-name">Prompt Injection</span><span class="check-desc">Instruction overrides, role manipulation, safety bypasses in SKILL.md</span></div>
+        </div>
+
+        <div class="cta">
+            <a href="https://github.com/jchandler187/clawsec">Get Started →</a>
+            <div class="coffee">
+                <a href="https://buymeacoffee.com/lowwattlabs">☕ Found ClawSec useful? Buy me a coffee</a>
+            </div>
+        </div>
+
+        <div class="footer">
+            ⚡ Low Watt Labs — MIT License
+        </div>
+    </div>
+</body>
+</html>

package/api/src/badge.js

@@ -0,0 +1,60 @@
+/**
+ * ClawSec v2 - SVG Badge Generator
+ */
+
+function generateBadge(verdict) {
+    const configs = {
+        pass: {
+            label: 'clawsec',
+            value: 'verified',
+            labelColor: '#333',
+            valueColor: '#2ea043',
+            valueBorderColor: '#2ea04366'
+        },
+        warn: {
+            label: 'clawsec',
+            value: 'warnings',
+            labelColor: '#333',
+            valueColor: '#d29922',
+            valueBorderColor: '#d2992266'
+        },
+        fail: {
+            label: 'clawsec',
+            value: 'failed',
+            labelColor: '#333',
+            valueColor: '#da3633',
+            valueBorderColor: '#da363366'
+        },
+        unknown: {
+            label: 'clawsec',
+            value: 'unknown',
+            labelColor: '#333',
+            valueColor: '#6e7781',
+            valueBorderColor: '#6e778166'
+        }
+    };
+
+    const config = configs[verdict] || configs.unknown;
+    const labelWidth = 62;
+    const valueWidth = config.value.length * 7.5 + 16;
+    const totalWidth = labelWidth + valueWidth;
+    const height = 20;
+    const rx = 3;
+
+    return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalWidth}" height="${height}" viewBox="0 0 ${totalWidth} ${height}">
+  <clipPath id="round">
+    <rect width="${totalWidth}" height="${height}" rx="${rx}" fill="#fff"/>
+  </clipPath>
+  <g clip-path="url(#round)">
+    <rect width="${labelWidth}" height="${height}" fill="${config.labelColor}"/>
+    <rect x="${labelWidth}" width="${valueWidth}" height="${height}" fill="${config.valueColor}"/>
+  </g>
+  <rect width="${totalWidth}" height="${height}" rx="${rx}" fill="none" stroke="${config.valueBorderColor}" stroke-width="0.5"/>
+  <g fill="#fff" font-family="-apple-system,BlinkMacSystemFont,Segoe UI,Helvetica,Arial,sans-serif" font-size="11" font-weight="600">
+    <text x="${labelWidth / 2}" y="14.5" text-anchor="middle">${config.label}</text>
+    <text x="${labelWidth + valueWidth / 2}" y="14.5" text-anchor="middle">${config.value}</text>
+  </g>
+</svg>`;
+}
+
+module.exports = { generateBadge };

package/api/src/middleware.js

@@ -0,0 +1,104 @@
+/**
+ * ⚡ ClawSec v2 - API Middleware
+ * Rate limiting, auth, request logging
+ */
+
+const { RateLimiterMemory } = require('rate-limiter-flexible');
+const path = require('path');
+const os = require('os');
+const fs = require('fs');
+
+const CLAWSEC_DIR = process.env.CLAWSEC_HOME || path.join(os.homedir(), '.clawsec');
+
+// Rate limiter: 5 scans/day for free tier, much higher for API key holders
+const freeLimiter = new RateLimiterMemory({
+    points: 5,
+    duration: 86400, // 24 hours
+    blockDuration: 86400,
+});
+
+const proLimiter = new RateLimiterMemory({
+    points: 1000,
+    duration: 86400,
+    blockDuration: 3600,
+});
+
+// Load API keys from config
+function loadApiKeys() {
+    const keysFile = path.join(CLAWSEC_DIR, 'api', 'api-keys.json');
+    if (fs.existsSync(keysFile)) {
+        try {
+            return JSON.parse(fs.readFileSync(keysFile, 'utf8'));
+        } catch {
+            return {};
+        }
+    }
+    return {};
+}
+
+// Rate limiter middleware
+const rateLimiter = async (req, res, next) => {
+    const apiKey = req.headers['x-api-key'] || (req.headers['authorization'] || '').replace('Bearer ', '');
+    const keys = loadApiKeys();
+
+    if (apiKey && keys[apiKey]) {
+        // Pro user
+        try {
+            await proLimiter.consume(apiKey);
+            req.userTier = 'pro';
+            req.userId = keys[apiKey].email || apiKey;
+        } catch {
+            return res.status(429).json({
+                error: 'Rate limit exceeded',
+                tier: 'pro',
+                retry_after: '1 hour'
+            });
+        }
+    } else {
+        // Free tier - rate limit by IP
+        const clientIp = req.ip || req.connection.remoteAddress;
+        try {
+            await freeLimiter.consume(clientIp);
+            req.userTier = 'free';
+        } catch {
+            return res.status(429).json({
+                error: 'Rate limit exceeded',
+                tier: 'free',
+                limit: '5 scans/day',
+                upgrade: 'Get an API key for higher limits'
+            });
+        }
+    }
+    next();
+};
+
+// API key auth (optional - works without, just gets free tier)
+const apiKeyAuth = (req, res, next) => {
+    const apiKey = req.headers['x-api-key'] || (req.headers['authorization'] || '').replace('Bearer ', '');
+    if (apiKey) {
+        const keys = loadApiKeys();
+        if (keys[apiKey]) {
+            req.authenticated = true;
+            req.userTier = keys[apiKey].tier || 'pro';
+            req.userId = keys[apiKey].email || 'unknown';
+        }
+    }
+    next();
+};
+
+// Request logger
+const requestLogger = (req, res, next) => {
+    const start = Date.now();
+    res.on('finish', () => {
+        const duration = Date.now() - start;
+        const tier = req.userTier || 'free';
+        console.log('[' + new Date().toISOString() + '] ' + req.method + ' ' + req.path + ' ' + res.statusCode + ' ' + duration + 'ms [' + tier + ']');
+    });
+    next();
+};
+
+module.exports = {
+    rateLimiter,
+    apiKeyAuth,
+    requestLogger
+};

package/api/src/routes.js

@@ -0,0 +1,184 @@
+/**
+ * ⚡ ClawSec v2 - API Routes
+ */
+
+const express = require('express');
+const path = require('path');
+const os = require('os');
+const fs = require('fs');
+const { execFileSync } = require('child_process');
+const { v4: uuidv4 } = require('uuid');
+const { generateBadge } = require('./badge');
+
+const router = express.Router();
+const CLAWSEC_DIR = process.env.CLAWSEC_HOME || path.join(os.homedir(), '.clawsec');
+const REPORTS_DIR = process.env.CLAWSEC_REPORTS_DIR || path.join(CLAWSEC_DIR, 'reports');
+const INTEL_DIR = process.env.CLAWSEC_INTEL_DIR || path.join(CLAWSEC_DIR, 'intel');
+
+// Validate id param: alphanumeric + hyphens only, max 128 chars
+function sanitizeId(id) {
+    if (!id || !/^[a-zA-Z0-9_-]+$/.test(id) || id.length > 128) return null;
+    return id;
+}
+
+// Validate slug for clawhub install: same rules as id
+function sanitizeSlug(slug) {
+    if (!slug || !/^[a-zA-Z0-9_-]+$/.test(slug) || slug.length > 128) return null;
+    return slug;
+}
+
+router.post('/scan', (req, res) => {
+    const { slug, content, path: reqPath } = req.body;
+
+    if (!slug && !content && !reqPath) {
+        return res.status(400).json({
+            error: 'Must provide slug, content, or path',
+            required: ['slug | content | path']
+        });
+    }
+
+    let targetDir;
+    let cleanup = false;
+
+    try {
+        if (reqPath && fs.existsSync(reqPath)) {
+            targetDir = reqPath;
+        } else if (slug) {
+            // P1-4: Validate slug before passing to clawhub install
+            const safeSlug = sanitizeSlug(slug);
+            if (!safeSlug) {
+                return res.status(400).json({ error: 'Invalid slug: must be alphanumeric with hyphens/underscores, max 128 chars' });
+            }
+            // Try to install from ClawHub
+            const tmpDir = '/tmp/clawsec-scan-' + uuidv4().slice(0, 8);
+            try {
+                execFileSync('clawhub', ['install', safeSlug, '--dir', tmpDir], {
+                    timeout: 60000, encoding: 'utf8'
+                });
+                // Find the installed skill
+                const dirs = fs.readdirSync(tmpDir);
+                if (dirs.length > 0) {
+                    targetDir = path.join(tmpDir, dirs[0]);
+                    cleanup = true;
+                }
+            } catch (e) {
+                return res.status(404).json({ error: 'Skill not found: ' + slug });
+            }
+        } else if (content) {
+            // Write content to temp dir
+            const tmpDir = '/tmp/clawsec-scan-' + uuidv4().slice(0, 8);
+            fs.mkdirSync(tmpDir, { recursive: true });
+
+            if (typeof content === 'string') {
+                fs.writeFileSync(path.join(tmpDir, 'SKILL.md'), content);
+            } else if (typeof content === 'object') {
+                // Object with file contents
+                for (const [filename, fileContent] of Object.entries(content)) {
+                    // P0: Sanitize filename against path traversal
+                    const safeName = path.basename(filename).replace(/\.\./g, '');
+                    if (safeName !== filename || filename.includes('..')) {
+                        return res.status(400).json({ error: 'Invalid filename: ' + filename });
+                    }
+                    // P0: Ensure resolved path stays within tmpDir
+                    const filePath = path.resolve(tmpDir, filename);
+                    if (!filePath.startsWith(path.resolve(tmpDir) + path.sep)) {
+                        return res.status(400).json({ error: 'Path traversal in filename: ' + filename });
+                    }
+                    const dirPath = path.dirname(filePath);
+                    if (!fs.existsSync(dirPath)) {
+                        fs.mkdirSync(dirPath, { recursive: true });
+                    }
+                    fs.writeFileSync(filePath, fileContent);
+                }
+            }
+            targetDir = tmpDir;
+            cleanup = true;
+        }
+
+        if (!targetDir) {
+            return res.status(400).json({ error: 'Could not resolve skill target' });
+        }
+
+        // Run verification
+        const verifyWrapper = path.join(CLAWSEC_DIR, 'api', 'src', 'verify-wrapper.sh');
+        let result;
+        try {
+            const output = execFileSync('bash', [verifyWrapper, targetDir], {
+                timeout: 30000,
+                encoding: 'utf8',
+                env: { ...process.env, PATH: process.env.HOME + '/.local/bin:' + process.env.PATH }
+            });
+            result = JSON.parse(output.trim());
+        } catch (e) {
+            // Non-zero exit (warn=1, fail=2) still gives stdout via e.stdout
+            const output = e.stdout || e.stderr || '';
+            try {
+                result = JSON.parse(output.trim());
+            } catch(e2) {
+                result = {
+                    verdict: 'error',
+                    error: 'Verification failed',
+                    details: e.message,
+                    stdout_preview: (e.stdout || '').substring(0, 200)
+                };
+            }
+        }
+
+        // Save report
+        const reportId = result.report_id || uuidv4().slice(0, 8);
+        const reportPath = path.join(REPORTS_DIR, reportId + '.json');
+        fs.writeFileSync(reportPath, JSON.stringify(result, null, 2));
+
+        // Add scan URL to response
+        result.report_url = '/api/v1/report/' + reportId;
+        result.badge_url = '/api/v1/badge/' + reportId + '.svg';
+
+        res.json({ report_id: reportId, ...result });
+
+    } finally {
+        if (cleanup && targetDir && targetDir.startsWith('/tmp/clawsec-scan-')) {
+            try { fs.rmSync(targetDir, { recursive: true }); } catch {}
+        }
+    }
+});
+
+// GET /api/v1/report/:id - Retrieve a saved report
+router.get('/report/:id', (req, res) => {
+    const id = sanitizeId(req.params.id);
+    if (!id) return res.status(403).json({ error: 'invalid id' });
+    const reportPath = path.join(REPORTS_DIR, id + '.json');
+    const resolved = path.resolve(reportPath);
+    if (!resolved.startsWith(REPORTS_DIR + path.sep)) return res.status(403).json({ error: 'invalid id' });
+    if (!fs.existsSync(resolved)) {
+        return res.status(404).json({ error: 'Report not found' });
+    }
+    const report = JSON.parse(fs.readFileSync(resolved, 'utf8'));
+    res.json(report);
+});
+
+// GET /api/v1/badge/:id.svg - Trust badge
+router.get('/badge/:id.svg', (req, res) => {
+    const rawId = req.params.id.replace('.svg', '');
+    const id = sanitizeId(rawId);
+    if (!id) return res.type('svg').status(403).send(generateBadge('unknown'));
+    const reportPath = path.join(REPORTS_DIR, id + '.json');
+    const resolved = path.resolve(reportPath);
+    if (!resolved.startsWith(REPORTS_DIR + path.sep)) return res.type('svg').status(403).send(generateBadge('unknown'));
+    if (!fs.existsSync(resolved)) {
+        return res.type('svg').status(404).send(generateBadge('unknown'));
+    }
+    const report = JSON.parse(fs.readFileSync(resolved, 'utf8'));
+    res.type('svg').send(generateBadge(report.verdict));
+});
+
+// GET /api/v1/status - Intel cache status
+router.get('/status', (req, res) => {
+    const manifestPath = path.join(INTEL_DIR, 'manifest.json');
+    if (!fs.existsSync(manifestPath)) {
+        return res.json({ sources: [], updated_at: null });
+    }
+    const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+    res.json(manifest);
+});
+
+module.exports = router;