From e56c44ec7b52d48b8dc2d3428ddc59cee2ba8c71 Mon Sep 17 00:00:00 2001
From: David Abutbul <David.a@prompt.security>
Date: Fri, 27 Feb 2026 20:32:46 +0200
Subject: [PATCH] auto-claude: subtask-1-2 - Add warning in handler.ts when
 checksum verificati

---
 .../hooks/clawsec-advisory-guardian/handler.ts           | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/skills/clawsec-suite/hooks/clawsec-advisory-guardian/handler.ts b/skills/clawsec-suite/hooks/clawsec-advisory-guardian/handler.ts
index ee1220f..142f036 100644
--- a/skills/clawsec-suite/hooks/clawsec-advisory-guardian/handler.ts
+++ b/skills/clawsec-suite/hooks/clawsec-advisory-guardian/handler.ts
@@ -12,6 +12,7 @@ const DEFAULT_FEED_URL =
   "https://clawsec.prompt.security/advisories/feed.json";
 const DEFAULT_SCAN_INTERVAL_SECONDS = 300;
 let unsignedModeWarningShown = false;
+let checksumBypassWarningShown = false;
 
 function parsePositiveInteger(value: string | undefined, fallback: number): number {
   const parsed = Number.parseInt(String(value ?? ""), 10);
@@ -160,6 +161,14 @@ const handler = async (event: HookEvent): Promise<void> => {
     );
   }
 
+  if (!verifyChecksumManifest && !checksumBypassWarningShown) {
+    checksumBypassWarningShown = true;
+    console.warn(
+      "[clawsec-advisory-guardian] CLAWSEC_VERIFY_CHECKSUM_MANIFEST=0 is enabled. " +
+        "This disables checksum verification and should be used with caution.",
+    );
+  }
+
   const forceScan = toEventName(event) === "command:new";
   const state = await loadState(stateFile);
   if (!forceScan && scannedRecently(state.last_hook_scan, scanIntervalSeconds)) {