From 6a982630a24b00e2eb3dda8a54a858d7325d1639 Mon Sep 17 00:00:00 2001
From: David Abutbul <David.a@prompt.security>
Date: Fri, 27 Feb 2026 20:31:30 +0200
Subject: [PATCH] auto-claude: subtask-1-1 - Add warning in
 guarded_skill_install.mjs when checksum verification is disabled

---
 skills/clawsec-suite/scripts/guarded_skill_install.mjs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/skills/clawsec-suite/scripts/guarded_skill_install.mjs b/skills/clawsec-suite/scripts/guarded_skill_install.mjs
index 7222978..1cecf9a 100644
--- a/skills/clawsec-suite/scripts/guarded_skill_install.mjs
+++ b/skills/clawsec-suite/scripts/guarded_skill_install.mjs
@@ -146,6 +146,12 @@ async function loadFeed() {
     );
   }
 
+  if (!verifyChecksumManifest) {
+    process.stderr.write(
+      "WARNING: CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 is enabled. Checksum verification for the advisory feed manifest is disabled. This reduces security guarantees.\n",
+    );
+  }
+
   const publicKeyPem = allowUnsigned ? "" : await fs.readFile(feedPublicKeyPath, "utf8");
 
   const remoteFeed = await loadRemoteFeed(feedUrl, {