diff --git a/.github/workflows/skill-release.yml b/.github/workflows/skill-release.yml
index cf65de2..263ad5e 100644
--- a/.github/workflows/skill-release.yml
+++ b/.github/workflows/skill-release.yml
@@ -152,14 +152,6 @@ jobs:
               md_version_changed=true
             fi
 
-            if [ "${json_version_changed}" != "true" ] && [ "${md_version_changed}" != "true" ]; then
-              echo "::error file=${skill_dir}::Changed skill package has no version bump. Update skill.json and SKILL.md versions and add CHANGELOG.md release notes."
-              failures=$((failures + 1))
-              continue
-            fi
-
-            echo "Version bump detected for ${skill_dir} (skill.json changed: ${json_version_changed}, SKILL.md changed: ${md_version_changed})"
-
             if [ ! -f "${json_path}" ]; then
               echo "::error file=${json_path}::Missing skill.json after version bump."
               failures=$((failures + 1))
@@ -190,6 +182,20 @@ jobs:
               continue
             fi
 
+            skill_release_name="$(basename "${skill_dir}")"
+            release_tag="${skill_release_name}-v${head_json_version}"
+            if [ "${json_version_changed}" != "true" ] && [ "${md_version_changed}" != "true" ]; then
+              if git show-ref --verify --quiet "refs/tags/${release_tag}"; then
+                echo "::error file=${skill_dir}::Changed skill package has no version bump and release tag ${release_tag} already exists. Update skill.json and SKILL.md versions and add CHANGELOG.md release notes."
+                failures=$((failures + 1))
+                continue
+              fi
+
+              echo "No version bump detected for ${skill_dir}, but release tag ${release_tag} does not exist; treating ${head_json_version} as unreleased."
+            else
+              echo "Version bump detected for ${skill_dir} (skill.json changed: ${json_version_changed}, SKILL.md changed: ${md_version_changed})"
+            fi
+
             echo "Version parity OK for ${skill_dir}: ${head_json_version}"
 
             changelog_path="${skill_dir}/CHANGELOG.md"
@@ -231,11 +237,11 @@ jobs:
           fi
 
           if [ "${failures}" -gt 0 ]; then
-            echo "::error::Found ${failures} skill metadata/release-notes issue(s) across ${checked_skills} bumped skill(s)."
+            echo "::error::Found ${failures} skill metadata/release-notes issue(s) across ${checked_skills} changed skill(s)."
             exit 1
           fi
 
-          echo "Validated ${checked_skills} bumped skill(s): version parity and changelog release notes are present."
+          echo "Validated ${checked_skills} changed skill(s): version parity and changelog release notes are present."
 
       - name: Validate npx skills install docs
         env:
diff --git a/scripts/test-skill-release-workflow.mjs b/scripts/test-skill-release-workflow.mjs
index ac2e0b1..f1af09b 100644
--- a/scripts/test-skill-release-workflow.mjs
+++ b/scripts/test-skill-release-workflow.mjs
@@ -37,13 +37,43 @@ assert.match(
 assert.doesNotMatch(
   workflow,
   /No version bump detected for \$\{skill_dir\}; skipping\./,
-  'Changed skill directories without a version bump must fail validation instead of being skipped',
+  'Changed skill directories without a version bump must not be skipped without release-tag validation',
 );
 
 assert.match(
   workflow,
-  /::error file=\$\{skill_dir\}::Changed skill package has no version bump\./,
-  'Skill release validation must emit an explicit missing-version-bump error',
+  /skill_release_name="\$\(basename "\$\{skill_dir\}"\)"/,
+  'Skill release validation must derive the release tag prefix from the skill package directory',
+);
+
+assert.match(
+  workflow,
+  /release_tag="\$\{skill_release_name\}-v\$\{head_json_version\}"/,
+  'Skill release validation must use the skill package directory name for release tag checks',
+);
+
+assert.doesNotMatch(
+  workflow,
+  /release_tag="\$\{head_skill_name\}-v\$\{head_json_version\}"/,
+  'Skill release validation must not use skill.json name for release tag checks because release tags resolve to skill directories',
+);
+
+assert.match(
+  workflow,
+  /git show-ref --verify --quiet "refs\/tags\/\$\{release_tag\}"/,
+  'Skill release validation must check whether the current skill version has already been tagged',
+);
+
+assert.match(
+  workflow,
+  /No version bump detected for \$\{skill_dir\}, but release tag \$\{release_tag\} does not exist; treating \$\{head_json_version\} as unreleased\./,
+  'Skill release validation must allow edits to an unchanged version when that release tag does not exist yet',
+);
+
+assert.match(
+  workflow,
+  /::error file=\$\{skill_dir\}::Changed skill package has no version bump and release tag \$\{release_tag\} already exists\./,
+  'Skill release validation must still fail unchanged versions after their release tag exists',
 );
 
 assert.match(
diff --git a/skills/openclaw-traffic-guardian/CHANGELOG.md b/skills/openclaw-traffic-guardian/CHANGELOG.md
index 0206a47..0d541b2 100644
--- a/skills/openclaw-traffic-guardian/CHANGELOG.md
+++ b/skills/openclaw-traffic-guardian/CHANGELOG.md
@@ -2,8 +2,12 @@
 
 ## [0.0.1-beta3] - 2026-06-10
 
-### Changed
+### Security
+- Added the `POLICY_REVIEW` scope for approval-sensitive social-account mutation requests, contributed by @kriptoburak.
+- Defined required JSONL metadata for social-account mutation findings, including source type, mutation category, approval-marker presence, and execution context.
 
+### Changed
+- Clarified that persistent social monitor and webhook configuration changes are review findings, while read-only social research should remain covered by no-false-positive tests.
 - Re-released skill package with updated marketplace grouping and signed release trust artifacts for Vercel-compatible skill installation.
 
 ## [0.0.1-beta2] - 2026-05-13
diff --git a/skills/openclaw-traffic-guardian/README.md b/skills/openclaw-traffic-guardian/README.md
index 17fba1f..62a175a 100644
--- a/skills/openclaw-traffic-guardian/README.md
+++ b/skills/openclaw-traffic-guardian/README.md
@@ -16,6 +16,7 @@ npx skills add prompt-security/clawsec --skill openclaw-traffic-guardian -a open
 
 - detect outbound secret exfiltration in agent HTTP/HTTPS traffic
 - detect inbound command-injection and tool-abuse payloads
+- record operator-review findings for approval-sensitive social-account mutations
 - write redacted local JSONL findings
 - provide explicit start, stop, status, and log-query commands
 - integrate with `clawsec-suite` as an optional add-on
diff --git a/skills/openclaw-traffic-guardian/SKILL.md b/skills/openclaw-traffic-guardian/SKILL.md
index 288316b..2bff64f 100644
--- a/skills/openclaw-traffic-guardian/SKILL.md
+++ b/skills/openclaw-traffic-guardian/SKILL.md
@@ -1,7 +1,7 @@
 ---
 name: openclaw-traffic-guardian
 version: 0.0.1-beta3
-description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.
+description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.
 homepage: https://clawsec.prompt.security
 author: prompt-security
 license: AGPL-3.0-or-later
@@ -110,6 +110,7 @@ Builders should use this skill as the OpenClaw landing zone for runtime traffic
 - optional HTTPS inspection with per-process CA trust
 - outbound exfiltration detection
 - inbound injection detection
+- approval-sensitive social-account mutation review
 - redacted local threat logs
 - optional OpenClaw hook/status integration
 
@@ -143,8 +144,10 @@ Read `SPEC.md` before implementing. Use the placeholder folders as follows:
 3. Scope proxy environment variables to the target OpenClaw process.
 4. Inspect HTTP request/response text up to a bounded byte limit.
 5. Support optional HTTPS MITM only when the operator supplies per-process trust configuration.
-6. Emit JSONL findings with redacted snippets.
-7. Provide a `status` command that reports mode, listener, CA fingerprint if present, and last findings.
+6. Flag requests matching `SPEC.md`'s Outbound POLICY_REVIEW cases as operator-review findings, including TweetClaw or other X/Twitter automation writes and scheduler/background-runner repeats without a fresh operator-approval marker.
+7. Detect repeat/background-runner context from bounded request metadata such as paths, headers, user-agent, client context, tool invocation metadata, or scheduler identifiers.
+8. Emit JSONL findings with redacted snippets plus source type, mutation category, approval-marker presence, and direct-operator versus background-runner context.
+9. Provide a `status` command that reports mode, listener, CA fingerprint if present, and last findings.
 
 ## Out of Scope for v0.0.1 Implementation
 
diff --git a/skills/openclaw-traffic-guardian/SPEC.md b/skills/openclaw-traffic-guardian/SPEC.md
index eb068a9..bce3bec 100644
--- a/skills/openclaw-traffic-guardian/SPEC.md
+++ b/skills/openclaw-traffic-guardian/SPEC.md
@@ -45,6 +45,24 @@ Findings must be JSON objects with these fields:
 }
 ```
 
+`POLICY_REVIEW` findings must keep the same base schema and add these fields:
+
+```json
+{
+  "threat_type": "POLICY_REVIEW",
+  "pattern": "social_account_mutation",
+  "source_type": "openclaw_tool_request",
+  "mutation_category": "post",
+  "approval_marker_present": false,
+  "execution_context": "background_runner"
+}
+```
+
+- `source_type`: `http_request`, `openclaw_tool_request`, or `unknown`.
+- `mutation_category`: `post`, `reply`, `repost`, `like`, `follow`, `unfollow`, `dm`, `media_upload`, `persistent_monitor`, `webhook_config`, `giveaway_draw`, or `other_social_account_mutation`.
+- `approval_marker_present`: boolean; do not persist marker secrets or full approval tokens.
+- `execution_context`: `direct_operator`, `scheduler`, `background_runner`, or `unknown`.
+
 ## Minimum Detection Set
 
 Outbound EXFIL:
@@ -64,6 +82,12 @@ Inbound INJECTION:
 - destructive remove commands
 - SSH authorized-key injection shapes
 
+Outbound POLICY_REVIEW:
+
+- social-account write requests such as post, reply, repost, like, follow, unfollow, DM, media upload, persistent monitor creation/update, webhook configuration changes, or giveaway draw actions
+- OpenClaw plugin/tool requests that invoke TweetClaw or another X/Twitter automation plugin for account mutation
+- scheduler or background-runner requests that would repeat social-account mutations without a fresh operator approval
+
 ## Safety Requirements
 
 - Default mode is detect-and-log.
@@ -72,6 +96,7 @@ Inbound INJECTION:
 - Maximum scan bytes must be configurable and bounded.
 - CA trust must be per-process by default.
 - System trust-store instructions must require explicit operator confirmation and must never run automatically.
+- POLICY_REVIEW findings must create an operator-review record only; they must not auto-block, auto-approve, or rewrite the requested action.
 
 ## Tests Required Before Release
 
@@ -79,7 +104,7 @@ Inbound INJECTION:
 - redaction tests proving secrets are not persisted
 - proxy fixture tests for HTTP request and response inspection
 - no-false-positive tests for common benign traffic
+- policy-review fixture tests for TweetClaw/social-account mutation examples and benign read-only social research requests
 - lifecycle tests for stale PID/state cleanup
 - status output tests
 - OpenClaw hook integration tests if hook files are added
-
diff --git a/skills/openclaw-traffic-guardian/skill.json b/skills/openclaw-traffic-guardian/skill.json
index 3f0845e..76182a5 100644
--- a/skills/openclaw-traffic-guardian/skill.json
+++ b/skills/openclaw-traffic-guardian/skill.json
@@ -1,7 +1,7 @@
 {
   "name": "openclaw-traffic-guardian",
   "version": "0.0.1-beta3",
-  "description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, and inbound injection detection.",
+  "description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",
   "homepage": "https://clawsec.prompt.security/",
@@ -15,7 +15,10 @@
     "injection",
     "proxy",
     "mitm",
-    "runtime"
+    "runtime",
+    "policy-review",
+    "operator-review",
+    "social-account-mutation"
   ],
   "sbom": {
     "files": [
@@ -84,6 +87,7 @@
       "https_mitm_inspection": "planned_optional",
       "egress_exfiltration_detection": "planned",
       "inbound_injection_detection": "planned",
+      "social_account_policy_review": "planned",
       "blocking": "future_version"
     },
     "execution": {
@@ -96,6 +100,7 @@
       "Default to detect-and-log mode; blocking is out of scope for v0.0.1 implementation.",
       "Scope HTTP_PROXY/HTTPS_PROXY to the OpenClaw process being monitored.",
       "Redact secret snippets before writing logs or sending conversation alerts.",
+      "Record POLICY_REVIEW findings for approval-sensitive social-account mutations without auto-blocking, auto-approving, or rewriting requests.",
       "Integrate with clawsec-suite as an optional add-on, not a default install."
     ],
     "triggers": [
@@ -103,7 +108,9 @@
       "openclaw traffic monitoring",
       "monitor openclaw egress",
       "inspect openclaw http traffic",
-      "detect openclaw exfiltration"
+      "detect openclaw exfiltration",
+      "review social account mutations",
+      "detect tweetclaw write actions"
     ]
   }
 }