ci(skills): publish release trust packets + expand skill installer awareness (vercel) (#262)

* ci(skills): publish release trust packets * ci(skills): simulate beta tag releases * ci(skills): match release version bump rules * chore(skills): group agent skills for installer * chore(skills): make clawtributor global * chore(skills): bump all skills for trust release * ci(skills): require npx install docs * fix(skills): simulate prerelease tag versions * fix(skills): aggregate trust artifact checksum failures * fix(frontend): advertise npx skills suite install * chore(frontend): drop ad hoc homepage copy test * fix(ci): run skill release tooling tests
2026-06-13 05:28:02 +03:00 · 2026-06-10 13:22:22 +03:00
parent d7312d7429
commit c1d1824f86
77 changed files with 2528 additions and 84 deletions
@@ -1,5 +1,12 @@
 # Changelog

+## [0.0.4] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+- Marked the release helper with top-level internal metadata so compatible installers can hide it from normal agent-facing discovery.
+
 ## [0.0.3] - 2026-05-14

 ### Security
@@ -0,0 +1,11 @@
+# Claw Release
+
+Release automation for Claw skills and website. Guides through version bumping, tagging, and release verification.
+
+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill claw-release -a openclaw -y
+```
@@ -1,9 +1,14 @@
 ---
 name: claw-release
-version: 0.0.3
+version: 0.0.4
 description: Release automation for Claw skills and website. Guides through version bumping, tagging, and release verification.
 homepage: https://clawsec.prompt.security
-metadata: {"openclaw":{"emoji":"🚀","category":"utility","internal":true}}
+metadata:
+  internal: true
+  openclaw:
+    emoji: "🚀"
+    category: "utility"
+    internal: true
 clawdis:
  emoji: "🚀"
  requires:
@@ -18,6 +23,14 @@ Internal tool for releasing skills and managing the ClawSec catalog.

 ---

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill claw-release -a openclaw -y
+```
+
 ## Operational Notes

 - Internal maintainer workflow only.
@@ -26,7 +39,6 @@ Internal tool for releasing skills and managing the ClawSec catalog.
 - Side effects: creates commits, tags, pushes to remote, and publishes GitHub Releases
 - Trust model: run only from a trusted checkout with a clean working tree and maintainer approval

-
 ## Release Artifact Verification

 For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key.
@@ -35,7 +47,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="claw-release"
-VERSION="0.0.3"
+VERSION="0.0.4"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "claw-release",
-  "version": "0.0.3",
+  "version": "0.0.4",
  "description": "Release automation for Claw skills and website. Guides through version bumping, tagging, and release verification.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.6] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.5] - 2026-06-07

 ### Security
@@ -2,6 +2,14 @@

 A `clawsec-suite` companion skill that adds a standalone reputation gate before guarded installs.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-clawhub-checker -a openclaw -y
+```
+
 ## Operational Notes

 - Required runtime: `node`, `clawhub`, `openclaw`
@@ -1,6 +1,6 @@
 ---
 name: clawsec-clawhub-checker
-version: 0.0.5
+version: 0.0.6
 description: ClawHub reputation checker for clawsec-suite. Adds a standalone reputation gate before guarded skill installation.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -14,6 +14,14 @@ clawdis:

 Adds a reputation gate on top of the `clawsec-suite` guarded installer.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-clawhub-checker -a openclaw -y
+```
+
 ## Operational Notes

 - Required runtime: `node`, `clawhub`, `openclaw`
@@ -45,7 +53,6 @@ Optional preflight check (validates local paths and prints recommended command):
 node ~/.openclaw/skills/clawsec-clawhub-checker/scripts/setup_reputation_hook.mjs
 ```

-
 ## Release Artifact Verification

 For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key.
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-clawhub-checker",
-  "version": "0.0.5",
+  "version": "0.0.6",
  "description": "ClawHub reputation checker for clawsec-suite. Adds a standalone reputation gate before guarded skill installation.",
  "author": "abutbul",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.9] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.8] - 2026-05-24

 ### Changed
@@ -2,6 +2,14 @@

 Security advisory feed monitoring for AI agents. Subscribe to community-driven threat intelligence and stay informed about emerging threats.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-feed -a openclaw -y
+```
+
 ## Operational Notes

 - Required runtime for standalone installation: `bash`, `curl`, `jq`, `shasum`, `unzip`
@@ -1,6 +1,6 @@
 ---
 name: clawsec-feed
-version: 0.0.8
+version: 0.0.9
 description: Security advisory feed package for OpenClaw-related threats and vulnerabilities. The upstream feed is updated daily; local automation is handled by clawsec-suite or the operator.
 homepage: https://clawsec.prompt.security
 metadata: {"openclaw":{"emoji":"📡","category":"security"}}
@@ -16,6 +16,14 @@ Security advisory feed monitoring for AI agents. Subscribe to community-driven t

 The default `feed.json` is the consolidated agent feed. It includes NVD CVEs, approved community advisories, and provisional GitHub Security Advisories that do not have CVE IDs yet.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-feed -a openclaw -y
+```
+
 ## Operational Notes

 - Required runtime for standalone installation: `bash`, `curl`, `jq`, `shasum`, `unzip`
@@ -66,7 +74,6 @@ Standalone installation is a network download workflow. Verify the release sourc
 Installation Steps:
 Agents should review scripts before execution!

-
 ```bash
 # Get latest clawsec-feed release tag
 LATEST_TAG=$(curl -sSL https://api.github.com/repos/prompt-security/ClawSec/releases | \
@@ -81,7 +88,6 @@ Once you have this skill file, proceed to **[Deploy ClawSec Feed](#deploy-clawse

 ---

-
 ## Release Artifact Verification

 For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key.
@@ -90,7 +96,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="clawsec-feed"
-VERSION="0.0.8"
+VERSION="0.0.9"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-feed",
-  "version": "0.0.8",
+  "version": "0.0.9",
  "description": "Security advisory feed monitoring for AI agents. Subscribe to community-driven threat intelligence.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.8] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.7] - 2026-06-07

 ### Security
@@ -2,6 +2,14 @@

 ClawSec now supports NanoClaw, a containerized WhatsApp bot powered by Claude agents.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-nanoclaw -a openclaw -y
+```
+
 ## What Changed

 ### Advisory Feed Monitoring
@@ -1,6 +1,6 @@
 ---
 name: clawsec-nanoclaw
-version: 0.0.7
+version: 0.0.8
 description: Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot
 ---

@@ -8,6 +8,14 @@ description: Use when checking for security vulnerabilities in NanoClaw skills,

 Security advisory monitoring that protects your WhatsApp bot from known vulnerabilities in skills and dependencies.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-nanoclaw -a openclaw -y
+```
+
 ## Overview

 ClawSec provides MCP tools that check installed skills against a curated feed of security advisories. It prevents installation of vulnerable skills, includes exploitability context for triage, and alerts you to issues in existing ones.
@@ -201,7 +209,6 @@ See [INSTALL.md](./INSTALL.md) for setup and [docs/](./docs/) for advanced usage
 - Provides actionable remediation steps
 - Zero false positives (curated feed only)

-
 ## Release Artifact Verification

 For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key.
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-nanoclaw",
-  "version": "0.0.7",
+  "version": "0.0.8",
  "description": "ClawSec security suite for NanoClaw - Advisory feed monitoring, MCP tools for vulnerability checking, and Ed25519 signature verification for containerized WhatsApp bot agents",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.5] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.4] - 2026-06-07

 ### Security
@@ -0,0 +1,11 @@
+# Clawsec Scanner
+
+Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific static hook inspection for OpenClaw hooks.
+
+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-scanner -a openclaw -y
+```
@@ -1,6 +1,6 @@
 ---
 name: clawsec-scanner
-version: 0.0.4
+version: 0.0.5
 description: Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific static hook inspection for OpenClaw hooks.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -20,6 +20,14 @@ Comprehensive security scanner for agent platforms that automates vulnerability
 - **Unified Reporting**: Consolidated vulnerability reports with severity classification and remediation guidance
 - **Continuous Monitoring**: OpenClaw hook integration for automated periodic scanning

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-scanner -a openclaw -y
+```
+
 ## Features

 ### Multi-Engine Scanning
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-scanner",
-  "version": "0.0.4",
+  "version": "0.0.5",
  "description": "Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific static hook inspection for OpenClaw hooks.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.1.10] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 All notable changes to the ClawSec Suite will be documented in this file.

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
@@ -0,0 +1,11 @@
+# Clawsec Suite
+
+ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.
+
+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-suite -a openclaw -y
+```
@@ -1,6 +1,6 @@
 ---
 name: clawsec-suite
-version: 0.1.9
+version: 0.1.10
 description: ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -11,6 +11,14 @@ clawdis:

 # ClawSec Suite

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawsec-suite -a openclaw -y
+```
+
 ## Operational Notes

 - Required runtime: `node`, `npx`, `openclaw`, `curl`, `jq`, `shasum`, `openssl`, `unzip`
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-suite",
-  "version": "0.1.9",
+  "version": "0.1.10",
  "description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,15 @@
 # Changelog

+## [0.0.7] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+- Marked Clawtributor as a harness-neutral global skill for OpenClaw, NanoClaw, Hermes, and Picoclaw installer grouping.
+- Removed OpenClaw CLI as a declared runtime requirement because reporting is manual, approval-gated, and not tied to an OpenClaw command path.
+- Documented Vercel skills installer usage alongside the OpenClaw/ClawHub install path.
+- Moved local report/state guidance to `~/.clawsec/clawtributor/`.
+
 ## [0.0.6] - 2026-05-14

 ### Security
@@ -2,6 +2,20 @@

 Community incident reporting for AI agents.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawtributor -a openclaw -y
+```
+
+Codex install is also supported:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawtributor -a codex -y
+```
+
 ## Operational Notes

 - Reporting is opt-in for every submission
@@ -17,6 +31,14 @@ Community incident reporting for AI agents.

 ## Quick Install

+Vercel skills installer:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawtributor -a codex -y
+```
+
+OpenClaw/ClawHub:
+
 ```bash
 npx clawhub@latest install clawtributor
 ```
@@ -1,23 +1,44 @@
 ---
 name: clawtributor
-version: 0.0.6
-description: Community incident reporting for AI agents. Contribute to collective security by reporting threats.
+version: 0.0.7
+description: Harness-neutral community incident reporting for AI agents. Contribute to collective security by reporting threats.
 homepage: https://clawsec.prompt.security
-metadata: {"openclaw":{"emoji":"🤝","category":"security"}}
+platforms:
+  - openclaw
+  - nanoclaw
+  - hermes
+  - picoclaw
+metadata:
+  global: true
+  openclaw:
+    emoji: "🤝"
+    category: "security"
 clawdis:
  emoji: "🤝"
-  requires:
-    bins: [openclaw]
 ---

 # Clawtributor 🤝

 Community incident reporting for AI agents. Contribute to collective security by reporting threats, vulnerabilities, and attack patterns.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawtributor -a openclaw -y
+```
+
+Codex install is also supported:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawtributor -a codex -y
+```
+
 ## Operational Notes

- Recommended install path: ClawHub registry (`npx clawhub@latest install clawtributor`)
- Side effects: creates local report/state files under `~/.openclaw/`
+- Recommended install path: harness-native skills installer; use ClawHub for OpenClaw/ClawHub environments (`npx clawhub@latest install clawtributor`)
+- Side effects: creates local report/state files under `~/.clawsec/clawtributor/`
 - Network behavior: none unless the user explicitly approves manual submission
 - Trust model: reporting is opt-in for every submission; sanitize evidence before it leaves the host

@@ -27,7 +48,13 @@ Community incident reporting for AI agents. Contribute to collective security by

 ## Installation

-Install from the registry:
+Install with your harness-native skills installer. For the Vercel skills installer:
+
+```bash
+npx skills add prompt-security/clawsec --skill clawtributor -a codex -y
+```
+
+For OpenClaw/ClawHub environments, install from the registry:

 ```bash
 npx clawhub@latest install clawtributor
@@ -44,7 +71,6 @@ I will keep reports local unless you explicitly approve submission.

 ---

-
 ## Release Artifact Verification

 For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key.
@@ -53,7 +79,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="clawtributor"
-VERSION="0.0.6"
+VERSION="0.0.7"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -233,7 +259,7 @@ See [reporting.md](./reporting.md) for the full report format and submission gui

 ### Step 1: Prepare report locally

- Save the report JSON under `~/.openclaw/clawtributor-reports/`
+- Save the report JSON under `~/.clawsec/clawtributor/reports/`
 - Keep file permissions private (`chmod 600`)
 - Confirm the report is sanitized before sharing

@@ -284,7 +310,7 @@ DO NOT include:

 ## State Tracking

-Track submitted reports in `~/.openclaw/clawtributor-state.json`.
+Track submitted reports in `~/.clawsec/clawtributor/state.json`.

 Example:

@@ -1,16 +1,24 @@
 {
  "name": "clawtributor",
-  "version": "0.0.6",
-  "description": "Community incident reporting for AI agents. Contribute to collective security by reporting threats.",
+  "version": "0.0.7",
+  "description": "Harness-neutral community incident reporting for AI agents. Contribute to collective security by reporting threats.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
  "homepage": "https://clawsec.prompt.security",
+  "platforms": [
+    "openclaw",
+    "nanoclaw",
+    "hermes",
+    "picoclaw"
+  ],
  "keywords": [
    "security",
    "reporting",
    "community",
    "agents",
    "ai",
+    "global",
+    "harness-neutral",
    "vulnerability",
    "contribution"
  ],
@@ -36,11 +44,6 @@
  "openclaw": {
    "emoji": "🤝",
    "category": "security",
-    "requires": {
-      "bins": [
-        "openclaw"
-      ]
-    },
    "execution": {
      "always": false,
      "persistence": "Stores local report/state files only; no recurring automation is created by default.",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.1.4] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.1.3] - 2026-05-24

 ### Changed
@@ -4,6 +4,14 @@ Hermes-only attestation, advisory verification, and guarded verification workflo

 Status: implemented (v0.1.0), Hermes-only.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill hermes-attestation-guardian -a hermes-agent -y
+```
+
 ## Capabilities

 This skill now covers the full Hermes-side capability set expected from the clawsec-suite parity workstream:
@@ -1,6 +1,6 @@
 ---
 name: hermes-attestation-guardian
-version: 0.1.3
+version: 0.1.4
 description: Hermes-only runtime security attestation and drift detection skill for operator-managed Hermes infrastructure.
 homepage: https://clawsec.prompt.security
 hermes:
@@ -15,6 +15,13 @@ IMPORTANT SCOPE:
 - This skill targets Hermes infrastructure only (CLI/Gateway/profile-managed deployments).
 - This skill is not an OpenClaw runtime hook package.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill hermes-attestation-guardian -a hermes-agent -y
+```

 ## Release Artifact Verification

@@ -24,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="hermes-attestation-guardian"
-VERSION="0.1.3"
+VERSION="0.1.4"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "hermes-attestation-guardian",
-  "version": "0.1.3",
+  "version": "0.1.4",
  "description": "Hermes-only runtime security attestation and drift detection skill. Generates deterministic posture artifacts, verifies integrity fail-closed, and classifies baseline drift severity.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta3] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.1-beta2] - 2026-05-13

 ### Security
@@ -4,6 +4,14 @@ Baseline skill for Hermes runtime traffic monitoring.

 This package is intentionally a spec scaffold. Builders should add the Hermes-specific monitor implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill hermes-traffic-guardian -a hermes-agent -y
+```
+
 ## Intended Capability

 - detect outbound secret exfiltration in Hermes HTTP/HTTPS traffic
@@ -15,4 +23,3 @@ This package is intentionally a spec scaffold. Builders should add the Hermes-sp
 ## Builder Notes

 Keep runtime ownership in this skill. `hermes-attestation-guardian` should only attest this skill's state, config, and output fingerprints.
-
@@ -1,6 +1,6 @@
 ---
 name: hermes-traffic-guardian
-version: 0.0.1-beta2
+version: 0.0.1-beta3
 description: Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -15,6 +15,13 @@ hermes:

 This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill hermes-traffic-guardian -a hermes-agent -y
+```

 ## Release Artifact Verification

@@ -24,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="hermes-traffic-guardian"
-VERSION="0.0.1-beta2"
+VERSION="0.0.1-beta3"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -145,4 +152,3 @@ Read `SPEC.md` before implementing. Use the placeholder folders as follows:
 - default blocking
 - sending traffic to external services
 - collecting full request/response bodies
-
@@ -1,6 +1,6 @@
 {
  "name": "hermes-traffic-guardian",
-  "version": "0.0.1-beta2",
+  "version": "0.0.1-beta3",
  "description": "Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta3] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.1-beta2] - 2026-05-13

 ### Security
@@ -4,6 +4,14 @@ Baseline skill for NanoClaw runtime traffic monitoring.

 This package is intentionally a spec scaffold. Builders should add the NanoClaw-specific host-service, IPC, and MCP implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill nanoclaw-traffic-guardian -a openclaw -y
+```
+
 ## Intended Capability

 - detect outbound secret exfiltration in NanoClaw host-managed traffic
@@ -15,4 +23,3 @@ This package is intentionally a spec scaffold. Builders should add the NanoClaw-
 ## Builder Notes

 Follow the existing `clawsec-nanoclaw` pattern: host services own privileged operations, while MCP tools expose bounded requests and redacted responses.
-
@@ -1,6 +1,6 @@
 ---
 name: nanoclaw-traffic-guardian
-version: 0.0.1-beta2
+version: 0.0.1-beta3
 description: NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -14,6 +14,13 @@ nanoclaw:

 This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill nanoclaw-traffic-guardian -a openclaw -y
+```

 ## Release Artifact Verification

@@ -23,7 +30,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="nanoclaw-traffic-guardian"
-VERSION="0.0.1-beta2"
+VERSION="0.0.1-beta3"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -146,4 +153,3 @@ Read `SPEC.md` before implementing. Use the placeholder folders as follows:
 - default blocking
 - sending traffic to external services
 - exposing raw request/response bodies to the container
-
@@ -1,6 +1,6 @@
 {
  "name": "nanoclaw-traffic-guardian",
-  "version": "0.0.1-beta2",
+  "version": "0.0.1-beta3",
  "description": "NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.1.7] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.1.6] - 2026-05-16

 ### Fixed
@@ -2,6 +2,14 @@

 Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill openclaw-audit-watchdog -a openclaw -y
+```
+
 ## Overview

 The Audit Watchdog provides automated security monitoring for your OpenClaw agent deployments:
@@ -1,6 +1,6 @@
 ---
 name: openclaw-audit-watchdog
-version: 0.1.6
+version: 0.1.7
 description: Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Runs deep audits, creates or updates a recurring cron job, and sends formatted reports to configured recipients.
 homepage: https://clawsec.prompt.security
 metadata:
@@ -29,6 +29,14 @@ clawdis:

 # Prompt Security Audit (openclaw)

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill openclaw-audit-watchdog -a openclaw -y
+```
+
 ## Installation Options

 You can get openclaw-audit-watchdog in two ways:
@@ -65,7 +73,6 @@ Continue below for standalone installation instructions.

 ---

-
 ## Release Artifact Verification

 For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key.
@@ -74,7 +81,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="openclaw-audit-watchdog"
-VERSION="0.1.6"
+VERSION="0.1.7"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "openclaw-audit-watchdog",
-  "version": "0.1.6",
+  "version": "0.1.7",
  "description": "Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Creates or updates an unattended cron job and sends formatted reports to configured recipients.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta3] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.1-beta2] - 2026-05-13

 ### Security
@@ -4,6 +4,14 @@ Baseline skill for OpenClaw runtime traffic monitoring.

 This package is intentionally a spec scaffold. Builders should add the OpenClaw-specific monitor implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill openclaw-traffic-guardian -a openclaw -y
+```
+
 ## Intended Capability

 - detect outbound secret exfiltration in agent HTTP/HTTPS traffic
@@ -15,4 +23,3 @@ This package is intentionally a spec scaffold. Builders should add the OpenClaw-
 ## Builder Notes

 Use `SPEC.md` as the implementation contract. Keep runtime changes opt-in and scoped to the OpenClaw process being monitored.
-
@@ -1,6 +1,6 @@
 ---
 name: openclaw-traffic-guardian
-version: 0.0.1-beta2
+version: 0.0.1-beta3
 description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -15,6 +15,13 @@ clawdis:

 This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill openclaw-traffic-guardian -a openclaw -y
+```

 ## Release Artifact Verification

@@ -24,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="openclaw-traffic-guardian"
-VERSION="0.0.1-beta2"
+VERSION="0.0.1-beta3"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -146,4 +153,3 @@ Read `SPEC.md` before implementing. Use the placeholder folders as follows:
 - default blocking
 - sending traffic to external services
 - collecting full request/response bodies
-
@@ -1,6 +1,6 @@
 {
  "name": "openclaw-traffic-guardian",
-  "version": "0.0.1-beta2",
+  "version": "0.0.1-beta3",
  "description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.4] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.3] - 2026-05-24

 ### Changed
@@ -6,6 +6,14 @@ Status: implemented (v0.0.1), Picoclaw-specific.

 Detailed architecture/operator docs: `wiki/modules/picoclaw-security-guardian.md`.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill picoclaw-security-guardian -a openclaw -y
+```
+
 ## Support matrix mapping

 | Skill name | supported platform | security feed | config drift | agent posture-review lane | chain of supply verification |
@@ -48,4 +56,3 @@ test/picoclaw_security_guardian_sandbox_regression.sh
 ```

 It uses Docker to publish the skill through a local ClawHub-compatible registry, installs it with Picoclaw's own `find_skills` / `install_skill` flow into an isolated Picoclaw workspace, confirms Picoclaw's skill loader can list/load it, then verifies the installed copy's profile, drift, advisory, and supply-chain paths.
-
@@ -1,6 +1,6 @@
 ---
 name: picoclaw-security-guardian
-version: 0.0.3
+version: 0.0.4
 description: Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -18,6 +18,13 @@ picoclaw:

 Detailed architecture/operator docs: `wiki/modules/picoclaw-security-guardian.md`.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill picoclaw-security-guardian -a openclaw -y
+```

 ## Release Artifact Verification

@@ -27,7 +34,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="picoclaw-security-guardian"
-VERSION="0.0.3"
+VERSION="0.0.4"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "picoclaw-security-guardian",
-  "version": "0.0.3",
+  "version": "0.0.4",
  "description": "Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.3] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.2] - 2026-05-13

 ### Security
@@ -4,6 +4,14 @@ Picoclaw-only local posture-review findings package for ClawSec.

 Status: implemented (v0.0.1), Picoclaw-specific.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill picoclaw-self-pen-testing -a openclaw -y
+```
+
 ## What it does

 Given a generated Picoclaw posture profile, it emits severity-ranked findings and a summary count for local operator review.
@@ -1,6 +1,6 @@
 ---
 name: picoclaw-self-pen-testing
-version: 0.0.2
+version: 0.0.3
 description: Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -18,6 +18,13 @@ picoclaw:

 Purpose: keep Picoclaw posture-review checks isolated from the broader guardian package so moderation-sensitive checks can be versioned/published independently.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill picoclaw-self-pen-testing -a openclaw -y
+```

 ## Release Artifact Verification

@@ -27,7 +34,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="picoclaw-self-pen-testing"
-VERSION="0.0.2"
+VERSION="0.0.3"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "picoclaw-self-pen-testing",
-  "version": "0.0.2",
+  "version": "0.0.3",
  "description": "Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta3] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.1-beta2] - 2026-05-13

 ### Security
@@ -4,6 +4,14 @@ Baseline skill for Picoclaw runtime traffic monitoring.

 This package is intentionally a spec scaffold. Builders should add the Picoclaw-specific monitor implementation here while preserving the safety contract in `SKILL.md` and `SPEC.md`.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill picoclaw-traffic-guardian -a openclaw -y
+```
+
 ## Intended Capability

 - detect outbound secret exfiltration in Picoclaw gateway HTTP/HTTPS traffic
@@ -15,4 +23,3 @@ This package is intentionally a spec scaffold. Builders should add the Picoclaw-
 ## Builder Notes

 Keep runtime ownership in this skill. `picoclaw-security-guardian` should only profile and drift-check this skill's state, config, and output fingerprints.
-
@@ -1,6 +1,6 @@
 ---
 name: picoclaw-traffic-guardian
-version: 0.0.1-beta2
+version: 0.0.1-beta3
 description: Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -15,6 +15,13 @@ picoclaw:

 This is a baseline specification skill. It intentionally does not ship a proxy or runtime implementation yet.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill picoclaw-traffic-guardian -a openclaw -y
+```

 ## Release Artifact Verification

@@ -24,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="picoclaw-traffic-guardian"
-VERSION="0.0.1-beta2"
+VERSION="0.0.1-beta3"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -145,4 +152,3 @@ Read `SPEC.md` before implementing. Use the placeholder folders as follows:
 - default blocking
 - sending traffic to external services
 - collecting full request/response bodies
-
@@ -1,6 +1,6 @@
 {
  "name": "picoclaw-traffic-guardian",
-  "version": "0.0.1-beta2",
+  "version": "0.0.1-beta3",
  "description": "Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.7] - 2026-06-10
+
+### Changed
+
+- Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
+
 ## [0.0.6] - 2026-05-14

 ### Security
@@ -2,6 +2,14 @@

 A small, dependency-free integrity guard for OpenClaw agent workspaces.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill soul-guardian -a openclaw -y
+```
+
 ## Operational Notes

 - Required runtime: `python3`
@@ -1,6 +1,6 @@
 ---
 name: soul-guardian
-version: 0.0.6
+version: 0.0.7
 description: Drift detection + baseline integrity guard for agent workspace files with automatic alerting support
 homepage: https://clawsec.prompt.security
 metadata: {"openclaw":{"emoji":"👻","category":"security"}}
@@ -14,6 +14,14 @@ clawdis:

 Protects your agent's core files (SOUL.md, AGENTS.md, etc.) from unauthorized changes with automatic detection, restoration, and **user alerting**.

+## Vercel Skills Installation
+
+Install with the Vercel Skills CLI for this harness:
+
+```bash
+npx skills add prompt-security/clawsec --skill soul-guardian -a openclaw -y
+```
+
 ## Operational Notes

 - Required runtime: `python3`
@@ -22,7 +30,6 @@ Protects your agent's core files (SOUL.md, AGENTS.md, etc.) from unauthorized ch
 - Network behavior: none by default
 - Trust model: any scheduling is opt-in, but restore mode intentionally overwrites drifted files

-
 ## Release Artifact Verification

 For standalone installs, verify the signed release manifest before trusting `SKILL.md`, `skill.json`, or the archive. The `skill.json` file is the package metadata/SBOM source, and the release pipeline signs `checksums.json` with the ClawSec release key.
@@ -31,7 +38,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="soul-guardian"
-VERSION="0.0.6"
+VERSION="0.0.7"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "soul-guardian",
-  "version": "0.0.6",
+  "version": "0.0.7",
  "description": "Drift detection and baseline integrity guard for agent workspace prompt files. Auto-restore critical files with tamper-evident audit logging.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",