feat(security): add Trust Tier system for skill security visualization

[0xRaini]

Summary

This PR introduces a Trust Tier system to help users make informed decisions about skill safety before installing. It addresses the need for tiered security labels mentioned in #181.

Changes

New: Trust Tier Utility (src/lib/trustTier.ts)

• Computes trust level based on VT scan status + publisher GitHub account age
• Six tiers with clear semantics:
  • 🛡️ Verified - Clean VT scan + publisher account 30+ days old
  • ✅ Clean - Clean VT scan but publisher is new/unverified
  • ⏳ Pending - Awaiting security scan
  • ⚠️ Suspicious - VT flagged as suspicious
  • 🚫 Malicious - VT flagged as malicious
  • ❓ Unknown - Could not determine status
• Helper functions: isSafeTier(), isWarningTier(), isEstablishedPublisher()

New: TrustBadge Component (src/components/TrustBadge.tsx)

• Visual badge showing trust tier with icon + label
• Compact mode for skill cards (icon only with tooltip)
• Detailed mode for skill pages (with description + metadata)
• Fully accessible with ARIA labels

New: Trust Tier Styles (src/styles.css)

• Color-coded badges matching severity levels
• Full dark mode support
• Hover effects and responsive design

New: Tests (src/lib/trustTier.test.ts)

• Comprehensive test coverage for all tier computation logic
• Edge case coverage (missing data, moderation flags, etc.)

Related Issues

• Addresses [ SECURITY SCAN ] Make the VT analysis pipeline better and use tiered labels in Clawhub #181 (tiered security labels)
• Helps address security concerns raised in SECURITY: All skills uploaded by user "thiagoruss0" contain malware payload #159, 🚨 SECURITY: Malicious skill distributing malware - zaycv/deepresearch #154, Malicious Skill Report (polymarket-all-in-one) #152

Usage Example

import { getTrustTier } from '../lib/trustTier'
import { TrustBadge } from '../components/TrustBadge'

const tier = getTrustTier(skill, owner, latestVersion)
<TrustBadge tier={tier} compact />

Next Steps (follow-up PRs)

• Integrate TrustBadge into SkillCard.tsx and SkillDetailPage.tsx
• Add trust tier filter to skill search/browse

Testing

• Added unit tests for all trust tier logic
• Manual testing: N/A (component not yet integrated into pages)

Greptile Overview

Greptile Summary

This PR adds a Trust Tier system for skills: a new src/lib/trustTier.ts utility to compute tiers from moderation + VirusTotal scan status + publisher GitHub account age, a TrustBadge/TrustBadgeWithDetails UI component to render the tier, corresponding badge styles in src/styles.css, and Vitest unit tests covering the tiering logic.

The changes are currently self-contained (not yet integrated into pages), but they introduce new CSS and a new public-facing tier computation API intended to be consumed by skill cards/detail pages.

Confidence Score: 3/5

• This PR is close to mergeable but has a couple of concrete issues that should be fixed first.
• Two definite problems were found in the current diff: an invalid CSS gradient token in the suspicious tier styling and unused imports in the new trustTier utility (likely failing lint/typecheck). There is also a logic mapping question around treating vtStatus === 'not_found' as pending that should be confirmed against backend semantics to avoid mislabeling tiers.
• src/styles.css, src/lib/trustTier.ts

Context used:

• Context from dashboard - AGENTS.md (source)

[vercel]

Someone is attempting to deploy a commit to the Amantus Machina Team on Vercel.

A member of the Team first needs to authorize it.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[greptile-apps]

_{2 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Pending vs unknown

getTrustTier treats a missing vtAnalysis.status and vtStatus === 'not_found' as 'pending'. If not_found means “no VT report exists for this hash” (as opposed to “scan queued/in progress”), this will mislabel the tier and potentially mislead users into thinking a scan is running when it isn’t.

Consider mapping not_found to 'unknown' (or a dedicated tier) unless the backend guarantees not_found is a transient pending state.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/lib/trustTier.ts
Line: 124:126

Comment:
**Pending vs unknown**

`getTrustTier` treats a missing `vtAnalysis.status` and `vtStatus === 'not_found'` as `'pending'`. If `not_found` means “no VT report exists for this hash” (as opposed to “scan queued/in progress”), this will mislabel the tier and potentially mislead users into thinking a scan is running when it isn’t.

Consider mapping `not_found` to `'unknown'` (or a dedicated tier) unless the backend guarantees `not_found` is a transient pending state.

How can I resolve this? If you propose a fix, please make it concise.

[0xRaini]

Hi maintainers 👋 The Vercel preview deployment requires authorization — could someone approve it when you get a chance? All other checks (Greptile Review, Vercel Agent Review) are passing. Thanks!

[therohitdas]

Hi @0xRaini , this tiered system does not have a caution tier label.

Check this discord message from @orlyjamie: https://discord.com/channels/1456350064065904867/1458861780976795782/1469764301098189040

[vercel]

Suggested change

	// (remove unused import)
	/**

Invalid syntax: JSDoc comment is broken with orphaned content starting with * and a meaningless // (remove unused import) comment on line 1.