chore(release): bump all public skills (#283)

* chore(skill): bump clawhub checker release

* chore(release): bump all public skills

* fix(release): require skillspector PR comments

* fix(release): align skill verification versions

* fix(release): checksum standalone release assets

* fix(release): narrow skillspector comment permissions

.github/clawhub-cli/package-lock.json

@@ -11,7 +11,7 @@
     },
     "node_modules/@ark/schema": {
       "version": "0.56.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/@ark/schema/-/schema-0.56.0.tgz",
+      "resolved": "https://registry.npmjs.org/@ark/schema/-/schema-0.56.0.tgz",
       "integrity": "sha512-ECg3hox/6Z/nLajxXqNhgPtNdHWC9zNsDyskwO28WinoFEnWow4IsERNz9AnXRhTZJnYIlAJ4uGn3nlLk65vZA==",
       "dependencies": {
         "@ark/util": "0.56.0"
@@ -19,12 +19,12 @@
     },
     "node_modules/@ark/util": {
       "version": "0.56.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/@ark/util/-/util-0.56.0.tgz",
+      "resolved": "https://registry.npmjs.org/@ark/util/-/util-0.56.0.tgz",
       "integrity": "sha512-BghfRC8b9pNs3vBoDJhcta0/c1J1rsoS1+HgVUreMFPdhz/CRAKReAu57YEllNaSy98rWAdY1gE+gFup7OXpgA=="
     },
     "node_modules/@clack/core": {
       "version": "0.5.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/@clack/core/-/core-0.5.0.tgz",
+      "resolved": "https://registry.npmjs.org/@clack/core/-/core-0.5.0.tgz",
       "integrity": "sha512-p3y0FIOwaYRUPRcMO7+dlmLh8PSRcrjuTndsiA0WAFbWES0mLZlrjVoBRZ9DzkPFJZG6KGkJmoEAY0ZcVWTkow==",
       "dependencies": {
         "picocolors": "^1.0.0",
@@ -33,7 +33,7 @@
     },
     "node_modules/@clack/prompts": {
       "version": "0.11.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/@clack/prompts/-/prompts-0.11.0.tgz",
+      "resolved": "https://registry.npmjs.org/@clack/prompts/-/prompts-0.11.0.tgz",
       "integrity": "sha512-pMN5FcrEw9hUkZA4f+zLlzivQSeQf5dRGJjSUbvVYDLvpKCdQx5OaknvKzgbtXOizhP+SJJJjqEbOe55uKKfAw==",
       "dependencies": {
         "@clack/core": "0.5.0",
@@ -43,7 +43,7 @@
     },
     "node_modules/ansi-regex": {
       "version": "6.2.2",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/ansi-regex/-/ansi-regex-6.2.2.tgz",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.2.2.tgz",
       "integrity": "sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==",
       "engines": {
         "node": ">=12"
@@ -54,7 +54,7 @@
     },
     "node_modules/arkregex": {
       "version": "0.0.5",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/arkregex/-/arkregex-0.0.5.tgz",
+      "resolved": "https://registry.npmjs.org/arkregex/-/arkregex-0.0.5.tgz",
       "integrity": "sha512-ncYjBdLlh5/QnVsAA8De16Tc9EqmYM7y/WU9j+236KcyYNUXogpz3sC4ATIZYzzLxwI+0sEOaQLEmLmRleaEXw==",
       "dependencies": {
         "@ark/util": "0.56.0"
@@ -62,7 +62,7 @@
     },
     "node_modules/arktype": {
       "version": "2.2.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/arktype/-/arktype-2.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/arktype/-/arktype-2.2.0.tgz",
       "integrity": "sha512-t54MZ7ti5BhOEvzEkgKnWvqj+UbDfWig+DHr5I34xatymPusKLS0lQpNJd8M6DzmIto2QGszHfNKoFIT8tMCZQ==",
       "dependencies": {
         "@ark/schema": "0.56.0",
@@ -72,7 +72,7 @@
     },
     "node_modules/chalk": {
       "version": "5.6.2",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/chalk/-/chalk-5.6.2.tgz",
+      "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.6.2.tgz",
       "integrity": "sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA==",
       "engines": {
         "node": "^12.17.0 || ^14.13 || >=16.0.0"
@@ -83,7 +83,7 @@
     },
     "node_modules/clawhub": {
       "version": "0.7.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/clawhub/-/clawhub-0.7.0.tgz",
+      "resolved": "https://registry.npmjs.org/clawhub/-/clawhub-0.7.0.tgz",
       "integrity": "sha512-volW6SbX8PawlnRxxCoUTKv5Pi+N3MrBi3hlO5/m9bVaO43UFciEeYti9+01c2U5n/SKhUkw7ASvnleyNmcoSA==",
       "dependencies": {
         "@clack/prompts": "^0.11.0",
@@ -108,7 +108,7 @@
     },
     "node_modules/cli-cursor": {
       "version": "5.0.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/cli-cursor/-/cli-cursor-5.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-5.0.0.tgz",
       "integrity": "sha512-aCj4O5wKyszjMmDT4tZj93kxyydN/K5zPWSCe6/0AV/AA1pqe5ZBIw0a2ZfPQV7lL5/yb5HsUreJ6UFAF1tEQw==",
       "dependencies": {
         "restore-cursor": "^5.0.0"
@@ -122,7 +122,7 @@
     },
     "node_modules/cli-spinners": {
       "version": "3.4.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/cli-spinners/-/cli-spinners-3.4.0.tgz",
+      "resolved": "https://registry.npmjs.org/cli-spinners/-/cli-spinners-3.4.0.tgz",
       "integrity": "sha512-bXfOC4QcT1tKXGorxL3wbJm6XJPDqEnij2gQ2m7ESQuE+/z9YFIWnl/5RpTiKWbMq3EVKR4fRLJGn6DVfu0mpw==",
       "engines": {
         "node": ">=18.20"
@@ -133,7 +133,7 @@
     },
     "node_modules/commander": {
       "version": "14.0.3",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/commander/-/commander-14.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-14.0.3.tgz",
       "integrity": "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==",
       "engines": {
         "node": ">=20"
@@ -141,12 +141,12 @@
     },
     "node_modules/fflate": {
       "version": "0.8.3",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/fflate/-/fflate-0.8.3.tgz",
+      "resolved": "https://registry.npmjs.org/fflate/-/fflate-0.8.3.tgz",
       "integrity": "sha512-tbZNuJrLwGUp3zshBtdy4W+ORxZuIh8a5ilyIEQDC5rY1f3U20JMry0Ll3WBzU58EZKsEuJFXhb5gwv8CsPvgA=="
     },
     "node_modules/get-east-asian-width": {
       "version": "1.6.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
+      "resolved": "https://registry.npmjs.org/get-east-asian-width/-/get-east-asian-width-1.6.0.tgz",
       "integrity": "sha512-QRbvDIbx6YklUe6RxeTeleMR0yv3cYH6PsPZHcnVn7xv7zO1BHN8r0XETu8n6Ye3Q+ahtSarc3WgtNWmehIBfA==",
       "engines": {
         "node": ">=18"
@@ -157,7 +157,7 @@
     },
     "node_modules/ignore": {
       "version": "7.0.5",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/ignore/-/ignore-7.0.5.tgz",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
       "integrity": "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==",
       "engines": {
         "node": ">= 4"
@@ -165,7 +165,7 @@
     },
     "node_modules/is-interactive": {
       "version": "2.0.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/is-interactive/-/is-interactive-2.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/is-interactive/-/is-interactive-2.0.0.tgz",
       "integrity": "sha512-qP1vozQRI+BMOPcjFzrjXuQvdak2pHNUMZoeG2eRbiSqyvbEf/wQtEOTOX1guk6E3t36RkaqiSt8A/6YElNxLQ==",
       "engines": {
         "node": ">=12"
@@ -176,7 +176,7 @@
     },
     "node_modules/is-network-error": {
       "version": "1.3.2",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/is-network-error/-/is-network-error-1.3.2.tgz",
+      "resolved": "https://registry.npmjs.org/is-network-error/-/is-network-error-1.3.2.tgz",
       "integrity": "sha512-PhBY86zaxNZUuWP6h13Vu5oFe0XY6/UlKzQnYFELzGVHygP3MxmvTfYSG7GN3aIab/iWudSMgjSnG9Dq+nHrgA==",
       "engines": {
         "node": ">=16"
@@ -187,7 +187,7 @@
     },
     "node_modules/is-unicode-supported": {
       "version": "2.1.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/is-unicode-supported/-/is-unicode-supported-2.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/is-unicode-supported/-/is-unicode-supported-2.1.0.tgz",
       "integrity": "sha512-mE00Gnza5EEB3Ds0HfMyllZzbBrmLOX3vfWoj9A9PEnTfratQ/BcaJOuMhnkhjXvb2+FkY3VuHqtAGpTPmglFQ==",
       "engines": {
         "node": ">=18"
@@ -198,7 +198,7 @@
     },
     "node_modules/json5": {
       "version": "2.2.3",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/json5/-/json5-2.2.3.tgz",
+      "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz",
       "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==",
       "bin": {
         "json5": "lib/cli.js"
@@ -209,7 +209,7 @@
     },
     "node_modules/log-symbols": {
       "version": "7.0.1",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/log-symbols/-/log-symbols-7.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-7.0.1.tgz",
       "integrity": "sha512-ja1E3yCr9i/0hmBVaM0bfwDjnGy8I/s6PP4DFp+yP+a+mrHO4Rm7DtmnqROTUkHIkqffC84YY7AeqX6oFk0WFg==",
       "dependencies": {
         "is-unicode-supported": "^2.0.0",
@@ -224,7 +224,7 @@
     },
     "node_modules/mime": {
       "version": "4.1.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/mime/-/mime-4.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-4.1.0.tgz",
       "integrity": "sha512-X5ju04+cAzsojXKes0B/S4tcYtFAJ6tTMuSPBEn9CPGlrWr8Fiw7qYeLT0XyH80HSoAoqWCaz+MWKh22P7G1cw==",
       "funding": [
         "https://github.com/sponsors/broofa"
@@ -238,7 +238,7 @@
     },
     "node_modules/mimic-function": {
       "version": "5.0.1",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/mimic-function/-/mimic-function-5.0.1.tgz",
+      "resolved": "https://registry.npmjs.org/mimic-function/-/mimic-function-5.0.1.tgz",
       "integrity": "sha512-VP79XUPxV2CigYP3jWwAUFSku2aKqBH7uTAapFWCBqutsbmDo96KY5o8uh6U+/YSIn5OxJnXp73beVkpqMIGhA==",
       "engines": {
         "node": ">=18"
@@ -249,7 +249,7 @@
     },
     "node_modules/onetime": {
       "version": "7.0.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/onetime/-/onetime-7.0.0.tgz",
+      "resolved": "https://registry.npmjs.org/onetime/-/onetime-7.0.0.tgz",
       "integrity": "sha512-VXJjc87FScF88uafS3JllDgvAm+c/Slfz06lorj2uAY34rlUu0Nt+v8wreiImcrgAjjIHp1rXpTDlLOGw29WwQ==",
       "dependencies": {
         "mimic-function": "^5.0.0"
@@ -263,7 +263,7 @@
     },
     "node_modules/ora": {
       "version": "9.4.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/ora/-/ora-9.4.0.tgz",
+      "resolved": "https://registry.npmjs.org/ora/-/ora-9.4.0.tgz",
       "integrity": "sha512-84cglkRILFxdtA8hAvLNdMrtBpPNBTrQ9/ulg0FA7xLMnD6mifv+enAIeRmvtv+WgdCE+LPGOfQmtJRrVaIVhQ==",
       "dependencies": {
         "chalk": "^5.6.2",
@@ -284,7 +284,7 @@
     },
     "node_modules/p-retry": {
       "version": "7.1.1",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/p-retry/-/p-retry-7.1.1.tgz",
+      "resolved": "https://registry.npmjs.org/p-retry/-/p-retry-7.1.1.tgz",
       "integrity": "sha512-J5ApzjyRkkf601HpEeykoiCvzHQjWxPAHhyjFcEUP2SWq0+35NKh8TLhpLw+Dkq5TZBFvUM6UigdE9hIVYTl5w==",
       "dependencies": {
         "is-network-error": "^1.1.0"
@@ -298,12 +298,12 @@
     },
     "node_modules/picocolors": {
       "version": "1.1.1",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/picocolors/-/picocolors-1.1.1.tgz",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
       "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="
     },
     "node_modules/restore-cursor": {
       "version": "5.1.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/restore-cursor/-/restore-cursor-5.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-5.1.0.tgz",
       "integrity": "sha512-oMA2dcrw6u0YfxJQXm342bFKX/E4sG9rbTzO9ptUcR/e8A33cHuvStiYOwH7fszkZlZ1z/ta9AAoPk2F4qIOHA==",
       "dependencies": {
         "onetime": "^7.0.0",
@@ -318,7 +318,7 @@
     },
     "node_modules/semver": {
       "version": "7.8.4",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/semver/-/semver-7.8.4.tgz",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.4.tgz",
       "integrity": "sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==",
       "bin": {
         "semver": "bin/semver.js"
@@ -329,7 +329,7 @@
     },
     "node_modules/signal-exit": {
       "version": "4.1.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/signal-exit/-/signal-exit-4.1.0.tgz",
+      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
       "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
       "engines": {
         "node": ">=14"
@@ -340,12 +340,12 @@
     },
     "node_modules/sisteransi": {
       "version": "1.0.5",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/sisteransi/-/sisteransi-1.0.5.tgz",
+      "resolved": "https://registry.npmjs.org/sisteransi/-/sisteransi-1.0.5.tgz",
       "integrity": "sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg=="
     },
     "node_modules/stdin-discarder": {
       "version": "0.3.2",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/stdin-discarder/-/stdin-discarder-0.3.2.tgz",
+      "resolved": "https://registry.npmjs.org/stdin-discarder/-/stdin-discarder-0.3.2.tgz",
       "integrity": "sha512-eCPu1qRxPVkl5605OTWF8Wz40b4Mf45NY5LQmVPQ599knfs5QhASUm9GbJ5BDMDOXgrnh0wyEdvzmL//YMlw0A==",
       "engines": {
         "node": ">=18"
@@ -356,7 +356,7 @@
     },
     "node_modules/string-width": {
       "version": "8.2.1",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/string-width/-/string-width-8.2.1.tgz",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-8.2.1.tgz",
       "integrity": "sha512-IIaP0g3iy9Cyy18w3M9YcaDudujEAVHKt3a3QJg1+sr/oX96TbaGUubG0hJyCjCBThFH+tFpcIyoUHUn1ogaLA==",
       "dependencies": {
         "get-east-asian-width": "^1.5.0",
@@ -371,7 +371,7 @@
     },
     "node_modules/strip-ansi": {
       "version": "7.2.0",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/strip-ansi/-/strip-ansi-7.2.0.tgz",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.2.0.tgz",
       "integrity": "sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==",
       "dependencies": {
         "ansi-regex": "^6.2.2"
@@ -384,16 +384,16 @@
       }
     },
     "node_modules/undici": {
-      "version": "7.27.2",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/undici/-/undici-7.27.2.tgz",
-      "integrity": "sha512-uZsKNuzQxDMUY6M3pIMvy5tvlGmtq8XJ2oLAkfRKGNu+1VQAIvLy2xIVG5ATZl5wDXl/tddByAWCizRbOme+TA==",
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz",
+      "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==",
       "engines": {
         "node": ">=20.18.1"
       }
     },
     "node_modules/yoctocolors": {
       "version": "2.1.2",
-      "resolved": "https://prompt-security-443370709039.d.codeartifact.eu-north-1.amazonaws.com/npm/npm-proxy/yoctocolors/-/yoctocolors-2.1.2.tgz",
+      "resolved": "https://registry.npmjs.org/yoctocolors/-/yoctocolors-2.1.2.tgz",
       "integrity": "sha512-CzhO+pFNo8ajLM2d2IW/R93ipy99LWjtwblvC1RsoSUMZgyLbYFr221TnSNT7GjGdYui6P459mw9JH/g/zW2ug==",
       "engines": {
         "node": ">=18"

.github/workflows/skill-release.yml

@@ -7,6 +7,8 @@ on:
   pull_request:
     paths:
       - 'skills/**'
+      - '!skills/clawsec-feed/advisories/feed.json'
+      - '!skills/clawsec-feed/advisories/feed.json.sig'
       - '.github/workflows/skill-release.yml'
       - 'scripts/ci/**'
       - 'scripts/test-skill-*.mjs'
@@ -19,7 +21,7 @@ on:
 
 permissions: read-all
 
-# The clawhub CLI version is pinned (with integrity hashes) in
+# The ClawHub CLI version is pinned (with integrity hashes) in
 # .github/clawhub-cli/package-lock.json — bump it there.
 
 concurrency:
@@ -88,6 +90,8 @@ jobs:
           touched_skills_file="$(mktemp)"
           git diff --name-only "${BASE_SHA}...${HEAD_SHA}" -- \
             'skills/*/**' \
+            ':(exclude)skills/clawsec-feed/advisories/feed.json' \
+            ':(exclude)skills/clawsec-feed/advisories/feed.json.sig' \
             ':(exclude)skills/*/test/**' \
             ':(exclude)skills/*/tests/**' \
             | awk -F/ '
@@ -410,6 +414,8 @@ jobs:
           touched_skills_file="$(mktemp)"
           git diff --name-only "${BASE_SHA}...${HEAD_SHA}" -- \
             'skills/*/**' \
+            ':(exclude)skills/clawsec-feed/advisories/feed.json' \
+            ':(exclude)skills/clawsec-feed/advisories/feed.json.sig' \
             ':(exclude)skills/*/test/**' \
             ':(exclude)skills/*/tests/**' \
             | awk -F/ 'NF >= 3 {print $1 "/" $2}' \
@@ -769,6 +775,35 @@ jobs:
               cp "${skill_dir}/README.md" "${out_assets}/README.md"
             fi
 
+            if ! add_release_asset_checksum "${out_assets}" "skill.json"; then
+              failures=$((failures + 1))
+              rm -rf "${staging_dir}"
+              echo "::endgroup::"
+              continue
+            fi
+
+            if ! add_release_asset_checksum "${out_assets}" "SKILL.md"; then
+              failures=$((failures + 1))
+              rm -rf "${staging_dir}"
+              echo "::endgroup::"
+              continue
+            fi
+
+            if [ -f "${out_assets}/README.md" ] && ! add_release_asset_checksum "${out_assets}" "README.md"; then
+              failures=$((failures + 1))
+              rm -rf "${staging_dir}"
+              echo "::endgroup::"
+              continue
+            fi
+
+            if ! jq -e . "${out_assets}/checksums.json" >/dev/null 2>&1; then
+              echo "::error::Generated checksums.json is invalid JSON after adding standalone release assets."
+              failures=$((failures + 1))
+              rm -rf "${staging_dir}"
+              echo "::endgroup::"
+              continue
+            fi
+
             rm -rf "${staging_dir}"
 
             echo "Prepared dry-run assets for ${tag}:"
@@ -822,15 +857,12 @@ jobs:
     if: always() && github.event_name == 'pull_request' && needs.release.result != 'cancelled'
     needs: release
     runs-on: ubuntu-latest
-    continue-on-error: true
     permissions:
       actions: read
       contents: read
       issues: write
-      pull-requests: read
     steps:
       - name: Download SkillSpector reports
-        continue-on-error: true
         uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: skillspector-pr-reports
@@ -1420,6 +1452,17 @@ jobs:
             cp "$SKILL_PATH/README.md" release-assets/
           fi
 
+          add_release_asset_checksum "skill.json"
+          add_release_asset_checksum "SKILL.md"
+          if [ -f release-assets/README.md ]; then
+            add_release_asset_checksum "README.md"
+          fi
+
+          if ! jq -e . "release-assets/checksums.json" >/dev/null 2>&1; then
+            echo "::error::Generated checksums.json is invalid JSON after adding standalone release assets."
+            exit 1
+          fi
+
           rm -rf "$STAGING_DIR"
 
           echo "=== checksums.json ==="
@@ -1685,10 +1728,6 @@ jobs:
       contents: read
     env:
       CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
-      AWS_REGION: eu-north-1
     steps:
       - name: Check if publishable
         if: needs.release-tag.outputs.publish_clawhub != 'true'
@@ -1711,7 +1750,7 @@ jobs:
         run: bash scripts/ci/install_clawhub_cli.sh
 
       - name: Patch clawhub publish payload workaround
-        # Temporary: clawhub@0.7.0 publish payload is missing acceptLicenseTerms.
+        # Idempotent compatibility guard: older clawhub@0.7.0 builds omitted acceptLicenseTerms.
         if: needs.release-tag.outputs.publish_clawhub == 'true' && env.CLAWHUB_TOKEN != ''
         run: node scripts/ci/patch_clawhub_publish_payload.mjs
 
@@ -1726,6 +1765,18 @@ jobs:
           CLAWHUB_DISABLE_TELEMETRY=1 CLAWHUB_SITE="$SITE" CLAWHUB_REGISTRY="$REGISTRY" \
             clawhub login --token "$CLAWHUB_TOKEN" --site "$SITE" --no-input
 
+      - name: Guard ClawHub slug ownership
+        if: needs.release-tag.outputs.publish_clawhub == 'true' && env.CLAWHUB_TOKEN != ''
+        run: |
+          set -euo pipefail
+          SITE=${CLAWHUB_SITE:-https://clawhub.ai}
+          REGISTRY=${CLAWHUB_REGISTRY:-$SITE}
+          export CLAWHUB_CONFIG_PATH="$HOME/.clawhub-ci/config.json"
+          export CLAWHUB_SITE="$SITE"
+          export CLAWHUB_REGISTRY="$REGISTRY"
+          bash scripts/ci/guard_clawhub_slug_owner.sh \
+            "${{ needs.release-tag.outputs.clawhub_slug }}"
+
       - name: Guard duplicate ClawHub version
         if: needs.release-tag.outputs.publish_clawhub == 'true' && env.CLAWHUB_TOKEN != ''
         run: |
@@ -1795,10 +1846,6 @@ jobs:
       contents: read
     env:
       CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
-      AWS_REGION: eu-north-1
     steps:
       - name: Parse tag
         id: parse
@@ -1819,7 +1866,9 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Prepare ClawHub slug helper
-        run: cp scripts/ci/resolve_clawhub_slug.mjs "$RUNNER_TEMP/resolve_clawhub_slug.mjs"
+        run: |
+          cp scripts/ci/resolve_clawhub_slug.mjs "$RUNNER_TEMP/resolve_clawhub_slug.mjs"
+          cp scripts/ci/skill_platforms.mjs "$RUNNER_TEMP/skill_platforms.mjs"
 
       - name: Checkout tag
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -1866,7 +1915,7 @@ jobs:
         run: bash scripts/ci/install_clawhub_cli.sh
 
       - name: Patch clawhub publish payload workaround
-        # Temporary: clawhub@0.7.0 publish payload is missing acceptLicenseTerms.
+        # Idempotent compatibility guard: older clawhub@0.7.0 builds omitted acceptLicenseTerms.
         run: node scripts/ci/patch_clawhub_publish_payload.mjs
 
       - name: Login to ClawHub
@@ -1884,6 +1933,17 @@ jobs:
           CLAWHUB_DISABLE_TELEMETRY=1 CLAWHUB_SITE="$SITE" CLAWHUB_REGISTRY="$REGISTRY" \
             clawhub login --token "$CLAWHUB_TOKEN" --site "$SITE" --no-input
 
+      - name: Guard ClawHub slug ownership
+        run: |
+          set -euo pipefail
+          SITE=${CLAWHUB_SITE:-https://clawhub.ai}
+          REGISTRY=${CLAWHUB_REGISTRY:-$SITE}
+          export CLAWHUB_CONFIG_PATH="$HOME/.clawhub-ci/config.json"
+          export CLAWHUB_SITE="$SITE"
+          export CLAWHUB_REGISTRY="$REGISTRY"
+          bash scripts/ci/guard_clawhub_slug_owner.sh \
+            "${{ steps.publishable.outputs.clawhub_slug }}"
+
       - name: Publish to ClawHub
         run: |
           set -euo pipefail

advisories/feed.json.sig

@@ -1 +1 @@
-jPrlTYwicRwoQgTs5Rk3Y3g6Lz78jNRs9ZNf0R09M4jkJokZENxfvhvHphI9MH4u+7wv0sFZ+yZbQtJ42y+hCQ==
+K19pfVfv7qB1cqFPFTu69+sKLHIMIrmS7GeK4BZIlHzRvrLfRUuq/KftC8/CIWwvixVlBBm/iZlyfJ5sutoDDw==

advisories/ghsa-without-cve.json.sig

@@ -1 +1 @@
-M1Jm4YHXsm0msygmd+XCJBRWMrXIjQfv1Y5v7XS8RCachLQwEzUJ1nhhic6CXxItNLmvgmDjVCMPVdHpnOMqDA==
+pmw3QutYARGuNH2evzHY/slVqxsrIGU+JrtS1hr1kOSqo1Md1aVBEA0tsNoQ+SkVjNohwGVk/61CcUxeW6WAAA==

package-lock.json

@@ -31,11 +31,12 @@
       }
     },
     "node_modules/@babel/code-frame": {
-      "version": "7.29.0",
-      "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
+      "version": "7.29.7",
+      "integrity": "sha512-Aup7aUOfpbAUg2ROOJN6Iw5f9DMBlzu0mIkm/malLQFN/YQgO48wCj0Kxa3sEHJvPVFg7siR+qRInwXd2qhQKw==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/helper-validator-identifier": "^7.28.5",
+        "@babel/helper-validator-identifier": "^7.29.7",
         "js-tokens": "^4.0.0",
         "picocolors": "^1.1.1"
       },
@@ -44,27 +45,29 @@
       }
     },
     "node_modules/@babel/compat-data": {
-      "version": "7.29.0",
-      "integrity": "sha512-T1NCJqT/j9+cn8fvkt7jtwbLBfLC/1y1c7NtCeXFRgzGTsafi68MRv8yzkYSapBnFA6L3U2VSc02ciDzoAJhJg==",
+      "version": "7.29.7",
+      "integrity": "sha512-locTkQyKvwIEgBzVrn8693ebc97F2U8ZHjbXwDXJ5Fn2TCpNwTlKcaKLkdHop5c/icOFE7qt7Q9JC5hnKNa6Gg==",
       "dev": true,
+      "license": "MIT",
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/core": {
-      "version": "7.29.0",
-      "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
+      "version": "7.29.7",
+      "integrity": "sha512-RgHBCvtjbOK2gXSNBNIkNoEc9qoVEtau3hj8gEqKQuL3HZAibKarWFEI3Lfm6EYKkLalOh8eSrj9b+ch9H/VBA==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/code-frame": "^7.29.0",
-        "@babel/generator": "^7.29.0",
-        "@babel/helper-compilation-targets": "^7.28.6",
-        "@babel/helper-module-transforms": "^7.28.6",
-        "@babel/helpers": "^7.28.6",
-        "@babel/parser": "^7.29.0",
-        "@babel/template": "^7.28.6",
-        "@babel/traverse": "^7.29.0",
-        "@babel/types": "^7.29.0",
+        "@babel/code-frame": "^7.29.7",
+        "@babel/generator": "^7.29.7",
+        "@babel/helper-compilation-targets": "^7.29.7",
+        "@babel/helper-module-transforms": "^7.29.7",
+        "@babel/helpers": "^7.29.7",
+        "@babel/parser": "^7.29.7",
+        "@babel/template": "^7.29.7",
+        "@babel/traverse": "^7.29.7",
+        "@babel/types": "^7.29.7",
         "@jridgewell/remapping": "^2.3.5",
         "convert-source-map": "^2.0.0",
         "debug": "^4.1.0",
@@ -89,12 +92,13 @@
       }
     },
     "node_modules/@babel/generator": {
-      "version": "7.29.0",
-      "integrity": "sha512-vSH118/wwM/pLR38g/Sgk05sNtro6TlTJKuiMXDaZqPUfjTFcudpCOt00IhOfj+1BFAX+UFAlzCU+6WXr3GLFQ==",
+      "version": "7.29.7",
+      "integrity": "sha512-DkXD5OJQaAQIdZ1bt3UZdEnHAn9Imd3IVBdX03UFe+ony9Ojw5pzr9YVKGDY1jt+Gcn/FnGkNf8r+Vj5NOJWtQ==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/parser": "^7.29.0",
-        "@babel/types": "^7.29.0",
+        "@babel/parser": "^7.29.7",
+        "@babel/types": "^7.29.7",
         "@jridgewell/gen-mapping": "^0.3.12",
         "@jridgewell/trace-mapping": "^0.3.28",
         "jsesc": "^3.0.2"
@@ -104,12 +108,13 @@
       }
     },
     "node_modules/@babel/helper-compilation-targets": {
-      "version": "7.28.6",
-      "integrity": "sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==",
+      "version": "7.29.7",
+      "integrity": "sha512-wem6WaBj4NaVYVdNhLPPVacES6ZJ+KBBfSkTMD3YZxbP3rm3Di85tJU5ljaUNhaOynt+Aj0xruhYuzQBt8n71g==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/compat-data": "^7.28.6",
-        "@babel/helper-validator-option": "^7.27.1",
+        "@babel/compat-data": "^7.29.7",
+        "@babel/helper-validator-option": "^7.29.7",
         "browserslist": "^4.24.0",
         "lru-cache": "^5.1.1",
         "semver": "^6.3.1"
@@ -127,33 +132,36 @@
       }
     },
     "node_modules/@babel/helper-globals": {
-      "version": "7.28.0",
-      "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==",
+      "version": "7.29.7",
+      "integrity": "sha512-3nQVUAtvkKH9zahfWgw96Jc/uFOmjACE1kQz82E2lqWmHBgjzbNlsC22nuQTfahmWeQtTq5nQ/4Nnd2A1wj4zA==",
       "dev": true,
+      "license": "MIT",
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/helper-module-imports": {
-      "version": "7.28.6",
-      "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==",
+      "version": "7.29.7",
+      "integrity": "sha512-ejHwrQQYcm9xnTivShn2IDOlIzInN34AXskvq9QicvCtEzq1Vzclu/tKF8Jq1Cg8JG2GL6/EmjgsCT7lXepE3g==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/traverse": "^7.28.6",
-        "@babel/types": "^7.28.6"
+        "@babel/traverse": "^7.29.7",
+        "@babel/types": "^7.29.7"
       },
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/helper-module-transforms": {
-      "version": "7.28.6",
-      "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==",
+      "version": "7.29.7",
+      "integrity": "sha512-UPUVSyXbOh627KiCIGQSgwWzGeBKLkaJ9PJEdrngIwMSzxLR4jS4+f1f1jb7VzBbg8nFLaYotvVPFCTqdrmTAg==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/helper-module-imports": "^7.28.6",
-        "@babel/helper-validator-identifier": "^7.28.5",
-        "@babel/traverse": "^7.28.6"
+        "@babel/helper-module-imports": "^7.29.7",
+        "@babel/helper-validator-identifier": "^7.29.7",
+        "@babel/traverse": "^7.29.7"
       },
       "engines": {
         "node": ">=6.9.0"
@@ -163,79 +171,84 @@
       }
     },
     "node_modules/@babel/helper-string-parser": {
-      "version": "7.27.1",
-      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+      "version": "7.29.7",
+      "integrity": "sha512-Pb5ijPrZ89GDH8223L4UP8i6QApWxs04RbPQJTeWDV0/keR2E36MeKnyr6LYmUUvqRRI+Iv87SuF1W6ErINzYw==",
       "dev": true,
+      "license": "MIT",
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/helper-validator-identifier": {
-      "version": "7.28.5",
-      "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
+      "version": "7.29.7",
+      "integrity": "sha512-qehxGkRj55h/ff8EMaJ+cYhyaKlHIxqYDn682wQD7RNp9UujOQsHog2uS0r2vzr4pW+sXf90NeeayjcNaX3fFg==",
       "dev": true,
+      "license": "MIT",
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/helper-validator-option": {
-      "version": "7.27.1",
-      "integrity": "sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==",
+      "version": "7.29.7",
+      "integrity": "sha512-N9ZErrD+yW5geCDtBqnOoxmR8+tNKiGuxKlDpuJxfsqpa2dFcexaziGAE/qoHLiDDreVNMupxGmSoNlyvsA3gw==",
       "dev": true,
+      "license": "MIT",
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/helpers": {
-      "version": "7.28.6",
-      "integrity": "sha512-xOBvwq86HHdB7WUDTfKfT/Vuxh7gElQ+Sfti2Cy6yIWNW05P8iUslOVcZ4/sKbE+/jQaukQAdz/gf3724kYdqw==",
+      "version": "7.29.7",
+      "integrity": "sha512-1k2lAGRMfHTcwuNYcCNUmaUffmQv8KWMfh2iJUUeRlwlwH4FdNG7mfPI10NPfLHJFThE4Tyr4mv7kTNZOiPuBg==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/template": "^7.28.6",
-        "@babel/types": "^7.28.6"
+        "@babel/template": "^7.29.7",
+        "@babel/types": "^7.29.7"
       },
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/parser": {
-      "version": "7.29.0",
-      "integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==",
+      "version": "7.29.7",
+      "integrity": "sha512-hnORnjP/1P/zFEndoeX+n+t1RwWRJiJpM/jO7FW32Kn9r5+sJB2JWOdYo4L6k78j15eCwY3Gm/7364B1EMwtNg==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/types": "^7.29.0"
-      },
-      "bin": {
-        "parser": "bin/babel-parser.js"
+        "@babel/types": "^7.29.7"
       },
+      "bin": "./bin/babel-parser.js",
       "engines": {
         "node": ">=6.0.0"
       }
     },
     "node_modules/@babel/template": {
-      "version": "7.28.6",
-      "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
+      "version": "7.29.7",
+      "integrity": "sha512-puq+Gf35oI24FeN11LkoUQFqv9uwNeWpxXZi/Ji3rRIoKAzKnxRaZ+Gkj0vKS9ZCiTESfng1N9LyOyXvo+m+Gg==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/code-frame": "^7.28.6",
-        "@babel/parser": "^7.28.6",
-        "@babel/types": "^7.28.6"
+        "@babel/code-frame": "^7.29.7",
+        "@babel/parser": "^7.29.7",
+        "@babel/types": "^7.29.7"
       },
       "engines": {
         "node": ">=6.9.0"
       }
     },
     "node_modules/@babel/traverse": {
-      "version": "7.29.0",
-      "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==",
+      "version": "7.29.7",
+      "integrity": "sha512-EhlfNQtZ+NK22w5BM61ciuiq1m58ed33Wr1Xan//ZRTy6hgjnwyCffRYwzsGXdASJSUJ1guZILsErh1eQcl+zw==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/code-frame": "^7.29.0",
-        "@babel/generator": "^7.29.0",
-        "@babel/helper-globals": "^7.28.0",
-        "@babel/parser": "^7.29.0",
-        "@babel/template": "^7.28.6",
-        "@babel/types": "^7.29.0",
+        "@babel/code-frame": "^7.29.7",
+        "@babel/generator": "^7.29.7",
+        "@babel/helper-globals": "^7.29.7",
+        "@babel/parser": "^7.29.7",
+        "@babel/template": "^7.29.7",
+        "@babel/types": "^7.29.7",
         "debug": "^4.3.1"
       },
       "engines": {
@@ -243,12 +256,13 @@
       }
     },
     "node_modules/@babel/types": {
-      "version": "7.29.0",
-      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+      "version": "7.29.7",
+      "integrity": "sha512-4zBIxpPzowiZpusoFkyGVwakdRJUyuH5PxQ/PrqghfdFWWasvnCdPfQXHrenDai+gyLARulZjZowCOj6fjT4pA==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
-        "@babel/helper-string-parser": "^7.27.1",
-        "@babel/helper-validator-identifier": "^7.28.5"
+        "@babel/helper-string-parser": "^7.29.7",
+        "@babel/helper-validator-identifier": "^7.29.7"
       },
       "engines": {
         "node": ">=6.9.0"
@@ -3092,10 +3106,20 @@
       "dev": true
     },
     "node_modules/js-yaml": {
-      "version": "4.1.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
-      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz",
+      "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==",
       "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/puzrin"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/nodeca"
+        }
+      ],
       "license": "MIT",
       "dependencies": {
         "argparse": "^2.0.1"

scripts/ci/guard_clawhub_slug_owner.sh

@@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  echo "Usage: $0 <target-clawhub-slug>" >&2
+}
+
+if [ "$#" -ne 1 ]; then
+  usage
+  exit 2
+fi
+
+TARGET_SLUG="$1"
+SITE="${CLAWHUB_SITE:-https://clawhub.ai}"
+REGISTRY="${CLAWHUB_REGISTRY:-$SITE}"
+CONFIG_PATH="${CLAWHUB_CONFIG_PATH:-$HOME/.clawhub-ci/config.json}"
+
+if [[ ! "$TARGET_SLUG" =~ ^[a-z0-9-]+$ ]]; then
+  echo "::error::Invalid ClawHub slug for ownership guard: ${TARGET_SLUG}"
+  exit 1
+fi
+
+if [ ! -f "$CONFIG_PATH" ]; then
+  echo "::error::ClawHub config not found at ${CONFIG_PATH}. Run clawhub login before ownership guard."
+  exit 1
+fi
+
+TOKEN="$(jq -r '.token // empty' "$CONFIG_PATH")"
+if [ -z "$TOKEN" ]; then
+  echo "::error::ClawHub token missing from ${CONFIG_PATH}. Run clawhub login before ownership guard."
+  exit 1
+fi
+
+TMP_DIR="$(mktemp -d)"
+trap 'rm -rf "$TMP_DIR"' EXIT
+
+api_get() {
+  local path="$1"
+  local output_path="$2"
+  local url="${REGISTRY%/}${path}"
+  local http_status
+  local curl_status
+
+  set +e
+  http_status="$(
+    curl --silent --show-error --location --max-time 15 \
+      --header "Accept: application/json" \
+      --header "Authorization: Bearer ${TOKEN}" \
+      --output "$output_path" \
+      --write-out "%{http_code}" \
+      "$url"
+  )"
+  curl_status=$?
+  set -e
+
+  if [ "$curl_status" -ne 0 ]; then
+    echo "::error::Failed to call ClawHub API: ${url}"
+    return 1
+  fi
+
+  printf '%s\n' "$http_status"
+}
+
+whoami_json="$TMP_DIR/whoami.json"
+whoami_status="$(api_get "/api/v1/whoami" "$whoami_json")"
+if [ "$whoami_status" != "200" ]; then
+  echo "::error::Failed to verify authenticated ClawHub publisher. HTTP ${whoami_status}."
+  cat "$whoami_json"
+  exit 1
+fi
+
+publisher_handle="$(jq -r '.user.handle // empty' "$whoami_json")"
+if [ -z "$publisher_handle" ]; then
+  echo "::error::Could not determine authenticated ClawHub publisher handle."
+  cat "$whoami_json"
+  exit 1
+fi
+
+target_json="$TMP_DIR/target.json"
+target_status="$(api_get "/api/v1/skills/${TARGET_SLUG}" "$target_json")"
+if [ "$target_status" = "404" ]; then
+  echo "Target ClawHub slug ${TARGET_SLUG} is not currently published; authenticated publisher ${publisher_handle} may create it."
+  exit 0
+fi
+
+if [ "$target_status" != "200" ]; then
+  echo "::error::Failed to inspect target ClawHub slug ${TARGET_SLUG}. HTTP ${target_status}."
+  cat "$target_json"
+  exit 1
+fi
+
+target_owner="$(jq -r '.owner.handle // .owner.displayName // empty' "$target_json")"
+if [ -z "$target_owner" ]; then
+  echo "::error::Could not determine owner for existing ClawHub slug ${TARGET_SLUG}."
+  echo "target owner: ${target_owner:-unknown}"
+  exit 1
+fi
+
+if [ "$target_owner" != "$publisher_handle" ]; then
+  echo "::error::Resolved ClawHub slug ${TARGET_SLUG} is already owned by ${target_owner}, but the authenticated publisher is ${publisher_handle}. Transfer or alias the registry slug before publishing."
+  exit 1
+fi
+
+echo "ClawHub slug ownership guard passed: ${TARGET_SLUG} owned by authenticated publisher ${publisher_handle}."

scripts/ci/install_clawhub_cli.sh

@@ -2,27 +2,6 @@
 set -euo pipefail
 
 CLI_PREFIX="${CLAWHUB_CLI_PREFIX:-.github/clawhub-cli}"
-CODEARTIFACT_DOMAIN="${CODEARTIFACT_DOMAIN:-prompt-security}"
-CODEARTIFACT_DOMAIN_OWNER="${CODEARTIFACT_DOMAIN_OWNER:-443370709039}"
-CODEARTIFACT_REPOSITORY="${CODEARTIFACT_REPOSITORY:-npm-proxy}"
-AWS_REGION="${AWS_REGION:-${AWS_DEFAULT_REGION:-eu-north-1}}"
-
-if ! command -v aws >/dev/null 2>&1; then
-  echo "::error::aws CLI is required to authenticate npm against CodeArtifact"
-  exit 1
-fi
-
-if ! aws sts get-caller-identity >/dev/null 2>&1; then
-  echo "::error::AWS credentials are required before installing the CodeArtifact-pinned clawhub CLI"
-  exit 1
-fi
-
-aws codeartifact login \
-  --tool npm \
-  --domain "$CODEARTIFACT_DOMAIN" \
-  --domain-owner "$CODEARTIFACT_DOMAIN_OWNER" \
-  --repository "$CODEARTIFACT_REPOSITORY" \
-  --region "$AWS_REGION"
 
 npm ci --prefix "$CLI_PREFIX"
 

scripts/ci/resolve_clawhub_slug.mjs

@@ -43,14 +43,14 @@ export function resolveClawHubSlug({ name, platforms = [] }) {
     throw new Error(`Invalid skill name for ClawHub slug mapping: ${name}`);
   }
 
-  if (name.startsWith("clawsec-")) {
-    return name;
-  }
-
   if (EXPLICIT_SLUGS.has(name)) {
     return EXPLICIT_SLUGS.get(name);
   }
 
+  if (name.startsWith("clawsec-")) {
+    return name;
+  }
+
   if (PLATFORM_KEYS.some((platform) => name.startsWith(`${platform}-`))) {
     return `clawsec-${name}`;
   }

scripts/ci/simulate_skill_tag_release.mjs

@@ -484,6 +484,13 @@ async function main() {
       await cp(path.join(tempSkillDir, "README.md"), path.join(releaseAssetsDir, "README.md"));
     }
 
+    for (const artifact of ["skill.json", "SKILL.md", "README.md"]) {
+      if (existsSync(path.join(releaseAssetsDir, artifact))) {
+        await addReleaseAssetChecksum({ releaseAssetsDir, manifest, asset: artifact });
+      }
+    }
+    await writeJson(path.join(releaseAssetsDir, "checksums.json"), manifest);
+
     const { privateKeyPath, publicKeyPath } = await createSigningKeyPair(tempRoot);
     await signFileBase64({
       keyPath: privateKeyPath,

scripts/ci/validate_skill_install_docs.mjs

@@ -143,6 +143,8 @@ function changedSkillDirs({ root, base, head }) {
       `${base}...${head}`,
       "--",
       "skills/*/**",
+      ":(exclude)skills/clawsec-feed/advisories/feed.json",
+      ":(exclude)skills/clawsec-feed/advisories/feed.json.sig",
       ":(exclude)skills/*/test/**",
       ":(exclude)skills/*/tests/**",
     ],

scripts/release-skill.sh

@@ -141,6 +141,23 @@ if [ -f "$SKILL_PATH/SKILL.md" ]; then
 
   echo "  ✓ Version updated to $VERSION"
 
+  echo "Updating release verification VERSION assignments in SKILL.md..."
+  VERSION_ASSIGNMENT_PATTERN='^VERSION="[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?"$'
+  if grep -qE "$VERSION_ASSIGNMENT_PATTERN" "$TEMP_DIR/SKILL.md"; then
+    sed -E "s|$VERSION_ASSIGNMENT_PATTERN|VERSION=\"$VERSION\"|g" "$TEMP_DIR/SKILL.md" > "$TEMP_DIR/SKILL.md.tmp"
+
+    if ! grep -qF "VERSION=\"$VERSION\"" "$TEMP_DIR/SKILL.md.tmp"; then
+      echo "Warning: VERSION assignment found but substitution may have failed" >&2
+    else
+      VERSION_ASSIGNMENT_COUNT=$(grep -cF "VERSION=\"$VERSION\"" "$TEMP_DIR/SKILL.md.tmp")
+      echo "  ✓ Updated $VERSION_ASSIGNMENT_COUNT VERSION assignment(s)"
+    fi
+
+    mv "$TEMP_DIR/SKILL.md.tmp" "$TEMP_DIR/SKILL.md"
+  else
+    echo "  ℹ No hardcoded release verification VERSION assignments found"
+  fi
+
   echo "Updating hardcoded version URLs in SKILL.md to use tag $TAG..."
   # Replace all hardcoded version URLs: download/SKILLNAME-vX.Y.Z(-prerelease)?/ -> download/TAG/
   # This handles patterns like: download/clawsec-feed-v1.0.0/ or download/prompt-agent-v1.0.0-beta1/

scripts/test-skill-release-workflow.mjs

@@ -3,12 +3,20 @@ import { readFile } from 'node:fs/promises';
 
 const workflowPath = new URL('../.github/workflows/skill-release.yml', import.meta.url);
 const ciWorkflowPath = new URL('../.github/workflows/ci.yml', import.meta.url);
+const clawhubLockPath = new URL('../.github/clawhub-cli/package-lock.json', import.meta.url);
+const validateSkillInstallDocsPath = new URL('./ci/validate_skill_install_docs.mjs', import.meta.url);
 const installClawhubCliPath = new URL('./ci/install_clawhub_cli.sh', import.meta.url);
 const patchClawhubPayloadPath = new URL('./ci/patch_clawhub_publish_payload.mjs', import.meta.url);
+const guardClawhubSlugOwnerPath = new URL('./ci/guard_clawhub_slug_owner.sh', import.meta.url);
+const releaseSkillScriptPath = new URL('./release-skill.sh', import.meta.url);
 const workflow = await readFile(workflowPath, 'utf8');
 const ciWorkflow = await readFile(ciWorkflowPath, 'utf8');
+const clawhubLock = JSON.parse(await readFile(clawhubLockPath, 'utf8'));
+const validateSkillInstallDocs = await readFile(validateSkillInstallDocsPath, 'utf8');
 const installClawhubCli = await readFile(installClawhubCliPath, 'utf8');
 const patchClawhubPayload = await readFile(patchClawhubPayloadPath, 'utf8');
+const guardClawhubSlugOwner = await readFile(guardClawhubSlugOwnerPath, 'utf8');
+const releaseSkillScript = await readFile(releaseSkillScriptPath, 'utf8');
 
 assert.match(
   workflow,
@@ -16,6 +24,16 @@ assert.match(
   'Skill release workflow must run when any skill package file changes',
 );
 
+for (const generatedFeedPath of [
+  'skills/clawsec-feed/advisories/feed.json',
+  'skills/clawsec-feed/advisories/feed.json.sig',
+]) {
+  assert.ok(
+    workflow.includes(`      - '!${generatedFeedPath}'`),
+    `Skill release workflow must not run for generated advisory mirror-only changes to ${generatedFeedPath}`,
+  );
+}
+
 assert.match(
   workflow,
   /pull_request:[\s\S]*paths:[\s\S]*- '\.github\/workflows\/skill-release\.yml'[\s\S]*- 'scripts\/ci\/\*\*'/,
@@ -34,10 +52,20 @@ assert.ok(
 
 assert.match(
   workflow,
-  /git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
-  'Skill release validation must ignore test-only skill changes while inspecting release-relevant skill files',
+  /git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json\.sig'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
+  'Skill release validation must ignore generated clawsec-feed advisory mirror and test-only changes while inspecting release-relevant skill files',
 );
 
+for (const generatedFeedPath of [
+  ':(exclude)skills/clawsec-feed/advisories/feed.json',
+  ':(exclude)skills/clawsec-feed/advisories/feed.json.sig',
+]) {
+  assert.ok(
+    validateSkillInstallDocs.includes(`"${generatedFeedPath}"`),
+    `Install-doc validation changed-skill detection must ignore generated advisory mirror-only changes to ${generatedFeedPath}`,
+  );
+}
+
 assert.ok(
   workflow.includes('name = tolower($NF)')
     && workflow.includes('name ~ /^(test|spec)[_-]/')
@@ -137,8 +165,8 @@ assert.match(
 
 assert.match(
   workflow,
-  /Run release dry-run for changed skills[\s\S]*git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
-  'PR dry-run SkillSpector scan must run when any release-relevant skill package file changes',
+  /Run release dry-run for changed skills[\s\S]*git diff --name-only "\$\{BASE_SHA\}\.\.\.\$\{HEAD_SHA\}" --[\s\S]*'skills\/\*\/\*\*'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json'[\s\S]*':\(exclude\)skills\/clawsec-feed\/advisories\/feed\.json\.sig'[\s\S]*':\(exclude\)skills\/\*\/test\/\*\*'[\s\S]*':\(exclude\)skills\/\*\/tests\/\*\*'/,
+  'PR dry-run SkillSpector scan must run when any release-relevant skill package file changes except generated advisory mirror files',
 );
 
 assert.ok(
@@ -194,6 +222,29 @@ for (const artifact of ['skill-card.md', 'permissions.json', 'install.md', 'skil
   );
 }
 
+for (const artifact of ['skill.json', 'SKILL.md']) {
+  assert.match(
+    workflow,
+    new RegExp(
+      String.raw`cp [\s\S]*? "\$\{out_assets\}/${escapeRegExp(artifact)}"[\s\S]*?` +
+        String.raw`if ! add_release_asset_checksum "\$\{out_assets\}" "${escapeRegExp(artifact)}"; then`,
+    ),
+    `PR dry-run validation must checksum standalone downloadable ${artifact} after copying it to release assets`,
+  );
+}
+
+assert.match(
+  workflow,
+  /if \[ -f "\$\{out_assets\}\/README\.md" \] && ! add_release_asset_checksum "\$\{out_assets\}" "README\.md"; then/,
+  'PR dry-run validation must checksum standalone downloadable README.md when it is shipped',
+);
+
+assert.match(
+  workflow,
+  /cp "\$SKILL_PATH\/skill\.json" release-assets\/skill\.json[\s\S]*add_release_asset_checksum "skill\.json"[\s\S]*add_release_asset_checksum "SKILL\.md"[\s\S]*add_release_asset_checksum "README\.md"/,
+  'Tag release validation must checksum standalone downloadable skill files before signing checksums.json',
+);
+
 assert.match(
   workflow,
   /add_release_asset_checksum "skill-card\.md"/,
@@ -227,15 +278,40 @@ assert.match(
 assert.match(
   workflow,
   /comment-skillspector-report:[\s\S]*needs: release[\s\S]*issues: write[\s\S]*actions\/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8\.0\.1/,
-  'Skill release workflow must download generated SkillSpector reports in a separate PR comment job with comment permissions',
+  'Skill release workflow must download generated SkillSpector reports in a separate PR comment job with issue-comment permissions',
+);
+
+const commentJob = workflow.match(/[ ]{2}comment-skillspector-report:[\s\S]*?\n[ ]{2}[a-z][^:\n]*:/)?.[0] || "";
+assert.match(
+  commentJob,
+  /issues: write/,
+  'SkillSpector PR comment publishing must request issues write permissions so report comments can be created',
+);
+
+assert.doesNotMatch(
+  commentJob,
+  /pull-requests: write/,
+  'SkillSpector PR comment publishing must not broaden the token with pull-requests write permissions',
 );
 
 assert.match(
   workflow,
-  /comment-skillspector-report:[\s\S]*if: always\(\) && github\.event_name == 'pull_request' && needs\.release\.result != 'cancelled'[\s\S]*Download SkillSpector reports[\s\S]*continue-on-error: true/,
+  /comment-skillspector-report:[\s\S]*if: always\(\) && github\.event_name == 'pull_request' && needs\.release\.result != 'cancelled'[\s\S]*Download SkillSpector reports/,
   'SkillSpector PR comments must still run when the release dry-run produced reports but the release job failed later',
 );
 
+assert.match(
+  workflow,
+  /Comment SkillSpector reports[\s\S]*actions\/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9\.0\.0/,
+  'SkillSpector PR comment publishing must use the pinned GitHub script action',
+);
+
+assert.doesNotMatch(
+  commentJob,
+  /continue-on-error: true/,
+  'SkillSpector PR comment publishing must fail visibly when report artifacts or PR comments cannot be created',
+);
+
 assert.match(
   workflow,
   /function sanitizeReportForComment\(report\)[\s\S]*code block omitted from PR comment[\s\S]*inline snippet omitted[\s\S]*redacted-email[\s\S]*redacted-token/,
@@ -277,6 +353,16 @@ assert.ok(
   'Skill release workflow must accept every prerelease version format that release-skill.sh accepts',
 );
 
+assert.ok(
+  releaseSkillScript.includes(`VERSION_ASSIGNMENT_PATTERN='^VERSION="[0-9]+\\.[0-9]+\\.[0-9]+(-[a-zA-Z0-9.]+)?"$'`),
+  'release-skill.sh must detect hardcoded release verification VERSION assignments in SKILL.md',
+);
+
+assert.ok(
+  releaseSkillScript.includes('sed -E "s|$VERSION_ASSIGNMENT_PATTERN|VERSION=\\"$VERSION\\"|g"'),
+  'release-skill.sh must update hardcoded release verification VERSION assignments when bumping a skill',
+);
+
 assert.match(
   workflow,
   /clawhub_slug: \$\{\{ steps\.publishable\.outputs\.clawhub_slug \}\}/,
@@ -291,8 +377,8 @@ assert.match(
 
 assert.match(
   workflow,
-  /cp scripts\/ci\/resolve_clawhub_slug\.mjs "\$RUNNER_TEMP\/resolve_clawhub_slug\.mjs"/,
-  'Manual ClawHub republish must preserve the current slug helper before checking out an older release tag',
+  /cp scripts\/ci\/resolve_clawhub_slug\.mjs "\$RUNNER_TEMP\/resolve_clawhub_slug\.mjs"[\s\S]*cp scripts\/ci\/skill_platforms\.mjs "\$RUNNER_TEMP\/skill_platforms\.mjs"/,
+  'Manual ClawHub republish must preserve the current slug helper and its local module dependency before checking out an older release tag',
 );
 
 assert.match(
@@ -319,6 +405,12 @@ assert.match(
   'ClawHub publish must use the resolved ClawHub slug',
 );
 
+assert.match(
+  workflow,
+  /clawhub publish "\$SKILL_PATH"[\s\S]*--slug "\$CLAWHUB_SLUG"/,
+  'ClawHub publish must use the resolved ClawHub slug',
+);
+
 assert.equal(
   workflow.match(/bash scripts\/ci\/install_clawhub_cli\.sh/g)?.length,
   2,
@@ -331,6 +423,12 @@ assert.equal(
   'ClawHub publish and republish jobs must share the same payload patch helper',
 );
 
+assert.equal(
+  workflow.match(/bash scripts\/ci\/guard_clawhub_slug_owner\.sh/g)?.length,
+  2,
+  'ClawHub publish and republish jobs must guard mapped slug ownership before publishing',
+);
+
 assert.doesNotMatch(
   workflow,
   /npm ci --prefix \.github\/clawhub-cli/,
@@ -343,26 +441,27 @@ assert.doesNotMatch(
   'ClawHub payload patching must not be duplicated inline in the workflow',
 );
 
-for (const secret of ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN']) {
-  assert.match(
-    workflow,
-    new RegExp(`${secret}: \\$\\{\\{ secrets\\.${secret} \\}\\}`),
-    `ClawHub jobs must expose ${secret} for CodeArtifact npm authentication`,
-  );
-}
-
-assert.match(
-  installClawhubCli,
-  /aws codeartifact login[\s\S]*--domain "\$CODEARTIFACT_DOMAIN"[\s\S]*--domain-owner "\$CODEARTIFACT_DOMAIN_OWNER"[\s\S]*--repository "\$CODEARTIFACT_REPOSITORY"[\s\S]*--region "\$AWS_REGION"/,
-  'ClawHub CLI installer must authenticate npm against CodeArtifact before npm ci',
-);
-
 assert.match(
   installClawhubCli,
   /npm ci --prefix "\$CLI_PREFIX"/,
   'ClawHub CLI installer must install from the committed lockfile prefix',
 );
 
+assert.doesNotMatch(
+  installClawhubCli,
+  /aws codeartifact login|AWS credentials are required/,
+  'ClawHub CLI installer must not require AWS secrets that are not configured for release workflows',
+);
+
+const clawhubLockResolvedUrls = Object.values(clawhubLock.packages ?? {})
+  .map((entry) => entry.resolved)
+  .filter(Boolean);
+assert.ok(clawhubLockResolvedUrls.length > 0, 'ClawHub CLI lockfile must contain resolved tarball URLs');
+assert.ok(
+  clawhubLockResolvedUrls.every((url) => url.startsWith('https://registry.npmjs.org/')),
+  'ClawHub CLI lockfile must use public npm tarballs because release workflows do not have AWS CodeArtifact secrets',
+);
+
 assert.match(
   installClawhubCli,
   /"\$\{workspace\}\/\$\{CLI_PREFIX\}\/node_modules\/\.bin" >> "\$GITHUB_PATH"/,
@@ -381,6 +480,54 @@ assert.match(
   'ClawHub payload patch helper must preserve the acceptLicenseTerms workaround',
 );
 
+assert.match(
+  patchClawhubPayload,
+  /Already patched/,
+  'ClawHub payload patch helper must stay idempotent when the pinned CLI already includes acceptLicenseTerms',
+);
+
+assert.match(
+  guardClawhubSlugOwner,
+  /api_get "\/api\/v1\/whoami" "\$whoami_json"/,
+  'ClawHub slug ownership guard must verify the authenticated publisher through the ClawHub API',
+);
+
+assert.match(
+  guardClawhubSlugOwner,
+  /api_get "\/api\/v1\/skills\/\$\{TARGET_SLUG\}" "\$target_json"/,
+  'ClawHub slug ownership guard must inspect the resolved publish slug through the ClawHub API',
+);
+
+assert.match(
+  guardClawhubSlugOwner,
+  /\[ "\$target_status" = "404" \]/,
+  'ClawHub slug ownership guard must treat HTTP 404 as the structured unpublished-slug signal',
+);
+
+assert.match(
+  guardClawhubSlugOwner,
+  /\[ "\$target_owner" != "\$publisher_handle" \]/,
+  'ClawHub slug ownership guard must reject slugs owned by a different authenticated registry publisher',
+);
+
+assert.doesNotMatch(
+  guardClawhubSlugOwner,
+  /SOURCE_SLUG|source_owner|grep -Eqi[\s\S]*Skill not found/,
+  'ClawHub slug ownership guard must not inspect raw source names or depend on stderr wording',
+);
+
+assert.match(
+  workflow,
+  /SITE=\$\{CLAWHUB_SITE:-https:\/\/clawhub\.ai\}[\s\S]*REGISTRY=\$\{CLAWHUB_REGISTRY:-\$SITE\}[\s\S]*export CLAWHUB_CONFIG_PATH="\$HOME\/\.clawhub-ci\/config\.json"[\s\S]*export CLAWHUB_SITE="\$SITE"[\s\S]*export CLAWHUB_REGISTRY="\$REGISTRY"[\s\S]*bash scripts\/ci\/guard_clawhub_slug_owner\.sh[\s\S]*\$\{\{ needs\.release-tag\.outputs\.clawhub_slug \}\}/,
+  'ClawHub publish job must guard the resolved publish slug with the authenticated ClawHub config path',
+);
+
+assert.match(
+  workflow,
+  /SITE=\$\{CLAWHUB_SITE:-https:\/\/clawhub\.ai\}[\s\S]*REGISTRY=\$\{CLAWHUB_REGISTRY:-\$SITE\}[\s\S]*export CLAWHUB_CONFIG_PATH="\$HOME\/\.clawhub-ci\/config\.json"[\s\S]*export CLAWHUB_SITE="\$SITE"[\s\S]*export CLAWHUB_REGISTRY="\$REGISTRY"[\s\S]*bash scripts\/ci\/guard_clawhub_slug_owner\.sh[\s\S]*\$\{\{ steps\.publishable\.outputs\.clawhub_slug \}\}/,
+  'ClawHub republish job must guard the resolved publish slug with the authenticated ClawHub config path',
+);
+
 assert.doesNotMatch(
   workflow,
   /clawhub inspect "\$SKILL_NAME" --version "\$VERSION" --json/,

scripts/test-skill-tag-release-simulation.mjs

@@ -1,5 +1,7 @@
 import assert from "node:assert/strict";
+import { createHash } from "node:crypto";
 import { chmod, cp, mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import { existsSync } from "node:fs";
 import { tmpdir } from "node:os";
 import path from "node:path";
 import { spawnSync } from "node:child_process";
@@ -7,6 +9,10 @@ import { spawnSync } from "node:child_process";
 const tempRoot = await mkdtemp(path.join(tmpdir(), "clawsec-tag-release-sim-"));
 const fakeSkillspector = path.join(tempRoot, "skillspector");
 
+function sha256(buffer) {
+  return createHash("sha256").update(buffer).digest("hex");
+}
+
 async function prereleaseFixture(sourceSkillDir, version, fixtureGroup) {
   const fixtureDir = path.join(tempRoot, fixtureGroup, path.basename(sourceSkillDir));
   await cp(sourceSkillDir, fixtureDir, { recursive: true });
@@ -77,6 +83,24 @@ async function runSimulation({ skillDir, outputDir, expectedOriginal, expectedSi
     assert.ok(file.length > 0, `${artifact} should not be empty`);
   }
 
+  for (const artifact of ["skill.json", "SKILL.md", "skillspector-report.md"]) {
+    const file = await readFile(path.join(releaseAssetsDir, artifact));
+    assert.equal(
+      checksums.files[artifact]?.sha256,
+      sha256(file),
+      `${artifact} must be downloadable and covered by checksums.json`,
+    );
+  }
+
+  if (existsSync(path.join(releaseAssetsDir, "README.md"))) {
+    const file = await readFile(path.join(releaseAssetsDir, "README.md"));
+    assert.equal(
+      checksums.files["README.md"]?.sha256,
+      sha256(file),
+      "README.md must be downloadable and covered by checksums.json when shipped",
+    );
+  }
+
   const archive = await readFile(path.join(releaseAssetsDir, `${expectedTag}.zip`));
   assert.ok(archive.length > 0, "release archive should not be empty");
 
@@ -140,16 +164,16 @@ writeFileSync(process.argv[outputIndex + 1], "# Fake SkillSpector Report\\n\\nNo
   await runSimulation({
     skillDir: "skills/clawsec-suite",
     outputDir: path.join(tempRoot, "stable"),
-    expectedOriginal: "0.1.10",
-    expectedSimulated: "0.1.11",
+    expectedOriginal: "0.1.12",
+    expectedSimulated: "0.1.13",
     expectedAgent: "openclaw",
   });
 
   await runSimulation({
     skillDir: "skills/hermes-traffic-guardian",
     outputDir: path.join(tempRoot, "beta"),
-    expectedOriginal: "0.0.1-beta3",
-    expectedSimulated: "0.0.1-beta4",
+    expectedOriginal: "0.0.1-beta5",
+    expectedSimulated: "0.0.1-beta6",
     expectedAgent: "hermes-agent",
   });
 

scripts/test-skill-trust-packet.mjs

@@ -25,7 +25,7 @@ function runTrustPacket(skillDir, targetDir, tag) {
 }
 
 try {
-  const result = runTrustPacket("skills/clawsec-suite", outputDir, "clawsec-suite-v0.1.10");
+  const result = runTrustPacket("skills/clawsec-suite", outputDir, "clawsec-suite-v0.1.12");
 
   assert.equal(
     result.status,
@@ -41,10 +41,10 @@ try {
   assert.match(skillCard, /## License\/Terms of Use/);
   assert.match(skillCard, /AGPL-3\.0-or-later/);
   assert.match(skillCard, /skillspector-report\.md/);
-  assert.match(skillCard, /clawsec-suite-v0\.1\.10/);
+  assert.match(skillCard, /clawsec-suite-v0\.1\.12/);
 
   assert.equal(permissions.skill, "clawsec-suite");
-  assert.equal(permissions.version, "0.1.10");
+  assert.equal(permissions.version, "0.1.12");
   assert.equal(permissions.platform, "openclaw");
   assert.deepEqual(
     permissions.required_binaries,
@@ -62,7 +62,7 @@ try {
   const hermesResult = runTrustPacket(
     "skills/hermes-attestation-guardian",
     hermesOutputDir,
-    "hermes-attestation-guardian-v0.1.4",
+    "hermes-attestation-guardian-v0.1.6",
   );
   assert.equal(
     hermesResult.status,

skills/clawsec-clawhub-checker/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.8] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.7] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.6] - 2026-06-10
 
 ### Changed

skills/clawsec-clawhub-checker/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: clawsec-clawhub-checker
-version: 0.0.6
+version: 0.0.8
 description: ClawHub reputation checker for clawsec-suite. Adds a standalone reputation gate before guarded skill installation.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -61,7 +61,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="clawsec-clawhub-checker"
-VERSION="0.0.4"
+VERSION="0.0.8"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/clawsec-clawhub-checker/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "clawsec-clawhub-checker",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "description": "ClawHub reputation checker for clawsec-suite. Adds a standalone reputation gate before guarded skill installation.",
   "author": "abutbul",
   "license": "AGPL-3.0-or-later",

skills/clawsec-feed/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.11] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.10] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.9] - 2026-06-10
 
 ### Changed

skills/clawsec-feed/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: clawsec-feed
-version: 0.0.9
+version: 0.0.11
 description: Security advisory feed package for OpenClaw-related threats and vulnerabilities. The upstream feed is updated daily; local automation is handled by clawsec-suite or the operator.
 homepage: https://clawsec.prompt.security
 metadata: {"openclaw":{"emoji":"📡","category":"security"}}
@@ -96,7 +96,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="clawsec-feed"
-VERSION="0.0.9"
+VERSION="0.0.11"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/clawsec-feed/advisories/feed.json.sig

@@ -1 +1 @@
-jPrlTYwicRwoQgTs5Rk3Y3g6Lz78jNRs9ZNf0R09M4jkJokZENxfvhvHphI9MH4u+7wv0sFZ+yZbQtJ42y+hCQ==
+K19pfVfv7qB1cqFPFTu69+sKLHIMIrmS7GeK4BZIlHzRvrLfRUuq/KftC8/CIWwvixVlBBm/iZlyfJ5sutoDDw==

skills/clawsec-feed/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "clawsec-feed",
-  "version": "0.0.9",
+  "version": "0.0.11",
   "description": "Security advisory feed monitoring for AI agents. Subscribe to community-driven threat intelligence.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/clawsec-nanoclaw/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.10] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.9] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.8] - 2026-06-10
 
 ### Changed

skills/clawsec-nanoclaw/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: clawsec-nanoclaw
-version: 0.0.8
+version: 0.0.10
 description: Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot
 ---
 
@@ -217,7 +217,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="clawsec-nanoclaw"
-VERSION="0.0.6"
+VERSION="0.0.10"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/clawsec-nanoclaw/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "clawsec-nanoclaw",
-  "version": "0.0.8",
+  "version": "0.0.10",
   "description": "ClawSec security suite for NanoClaw - Advisory feed monitoring, MCP tools for vulnerability checking, and Ed25519 signature verification for containerized WhatsApp bot agents",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/clawsec-scanner/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.7] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.6] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.5] - 2026-06-10
 
 ### Changed

skills/clawsec-scanner/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: clawsec-scanner
-version: 0.0.5
+version: 0.0.7
 description: Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific static hook inspection for OpenClaw hooks.
 homepage: https://clawsec.prompt.security
 clawdis:

skills/clawsec-scanner/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "clawsec-scanner",
-  "version": "0.0.5",
+  "version": "0.0.7",
   "description": "Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific static hook inspection for OpenClaw hooks.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/clawsec-suite/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.1.12] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.1.11] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.1.10] - 2026-06-10
 
 ### Changed

skills/clawsec-suite/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: clawsec-suite
-version: 0.1.10
+version: 0.1.12
 description: ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.
 homepage: https://clawsec.prompt.security
 clawdis:

skills/clawsec-suite/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "clawsec-suite",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/clawtributor/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.9] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.8] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.7] - 2026-06-10
 
 ### Changed

skills/clawtributor/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: clawtributor
-version: 0.0.7
+version: 0.0.9
 description: Harness-neutral community incident reporting for AI agents. Contribute to collective security by reporting threats.
 homepage: https://clawsec.prompt.security
 platforms:
@@ -79,7 +79,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="clawtributor"
-VERSION="0.0.7"
+VERSION="0.0.9"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/clawtributor/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "clawtributor",
-  "version": "0.0.7",
+  "version": "0.0.9",
   "description": "Harness-neutral community incident reporting for AI agents. Contribute to collective security by reporting threats.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/hermes-attestation-guardian/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.1.6] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.1.5] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.1.4] - 2026-06-10
 
 ### Changed

skills/hermes-attestation-guardian/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: hermes-attestation-guardian
-version: 0.1.4
+version: 0.1.6
 description: Hermes-only runtime security attestation and drift detection skill for operator-managed Hermes infrastructure.
 homepage: https://clawsec.prompt.security
 hermes:
@@ -31,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="hermes-attestation-guardian"
-VERSION="0.1.4"
+VERSION="0.1.6"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/hermes-attestation-guardian/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "hermes-attestation-guardian",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Hermes-only runtime security attestation and drift detection skill. Generates deterministic posture artifacts, verifies integrity fail-closed, and classifies baseline drift severity.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/hermes-traffic-guardian/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.1-beta5] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10
 
 ### Changed

skills/hermes-traffic-guardian/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: hermes-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta5
 description: Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -31,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="hermes-traffic-guardian"
-VERSION="0.0.1-beta3"
+VERSION="0.0.1-beta5"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/hermes-traffic-guardian/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "hermes-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta5",
   "description": "Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/nanoclaw-traffic-guardian/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.1-beta5] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10
 
 ### Changed

skills/nanoclaw-traffic-guardian/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: nanoclaw-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta5
 description: NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -30,7 +30,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="nanoclaw-traffic-guardian"
-VERSION="0.0.1-beta3"
+VERSION="0.0.1-beta5"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/nanoclaw-traffic-guardian/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "nanoclaw-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta5",
   "description": "NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/openclaw-audit-watchdog/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.1.9] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.1.8] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.1.7] - 2026-06-10
 
 ### Changed

skills/openclaw-audit-watchdog/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-audit-watchdog
-version: 0.1.7
+version: 0.1.9
 description: Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Runs deep audits, creates or updates a recurring cron job, and sends formatted reports to configured recipients.
 homepage: https://clawsec.prompt.security
 metadata:
@@ -81,7 +81,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="openclaw-audit-watchdog"
-VERSION="0.1.7"
+VERSION="0.1.9"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/openclaw-audit-watchdog/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-audit-watchdog",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Creates or updates an unattended cron job and sends formatted reports to configured recipients.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/openclaw-traffic-guardian/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.1-beta5] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10
 
 ### Security

skills/openclaw-traffic-guardian/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: openclaw-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta5
 description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -31,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="openclaw-traffic-guardian"
-VERSION="0.0.1-beta3"
+VERSION="0.0.1-beta5"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/openclaw-traffic-guardian/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta5",
   "description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/picoclaw-security-guardian/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.6] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.5] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.4] - 2026-06-10
 
 ### Changed

skills/picoclaw-security-guardian/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: picoclaw-security-guardian
-version: 0.0.4
+version: 0.0.6
 description: Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -34,7 +34,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="picoclaw-security-guardian"
-VERSION="0.0.4"
+VERSION="0.0.6"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/picoclaw-security-guardian/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "picoclaw-security-guardian",
-  "version": "0.0.4",
+  "version": "0.0.6",
   "description": "Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/picoclaw-self-pen-testing/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.5] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.3] - 2026-06-10
 
 ### Changed

skills/picoclaw-self-pen-testing/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: picoclaw-self-pen-testing
-version: 0.0.3
+version: 0.0.5
 description: Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -34,7 +34,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="picoclaw-self-pen-testing"
-VERSION="0.0.3"
+VERSION="0.0.5"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/picoclaw-self-pen-testing/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "picoclaw-self-pen-testing",
-  "version": "0.0.3",
+  "version": "0.0.5",
   "description": "Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/picoclaw-traffic-guardian/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.1-beta5] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10
 
 ### Changed

skills/picoclaw-traffic-guardian/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: picoclaw-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta5
 description: Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -31,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="picoclaw-traffic-guardian"
-VERSION="0.0.1-beta3"
+VERSION="0.0.1-beta5"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/picoclaw-traffic-guardian/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "picoclaw-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta5",
   "description": "Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",

skills/soul-guardian/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.0.9] - 2026-06-23
+
+### Changed
+
+- Re-released skill metadata to run through the corrected normal tag publish pipeline without runtime changes.
+
+## [0.0.8] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.7] - 2026-06-10
 
 ### Changed

skills/soul-guardian/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: soul-guardian
-version: 0.0.7
+version: 0.0.9
 description: Drift detection + baseline integrity guard for agent workspace files with automatic alerting support
 homepage: https://clawsec.prompt.security
 metadata: {"openclaw":{"emoji":"👻","category":"security"}}
@@ -38,7 +38,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail
 
 SKILL_NAME="soul-guardian"
-VERSION="0.0.7"
+VERSION="0.0.9"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"

skills/soul-guardian/skill.json

@@ -1,6 +1,6 @@
 {
   "name": "soul-guardian",
-  "version": "0.0.7",
+  "version": "0.0.9",
   "description": "Drift detection and baseline integrity guard for agent workspace prompt files. Auto-restore critical files with tamper-evident audit logging.",
   "author": "prompt-security",
   "license": "AGPL-3.0-or-later",