fix(release): resolve metadata review comments

fix(release): keep skillspector PR comments non-blocking
chore(release): bump skill metadata for republish
2026-06-23 02:11:22 +03:00 · 2026-06-23 00:24:51 +03:00 · 2026-06-23 00:17:44 +03:00 · 2026-06-23 00:12:24 +03:00
49 changed files with 143 additions and 40 deletions
@@ -833,7 +833,6 @@ jobs:
      actions: read
      contents: read
      issues: write
-      pull-requests: read
    steps:
      - name: Download SkillSpector reports
        continue-on-error: true
@@ -843,6 +842,7 @@ jobs:
          path: skillspector-pr-reports

      - name: Comment SkillSpector reports
+        continue-on-error: true
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
@@ -254,12 +254,25 @@ assert.match(
  'Skill release workflow must download generated SkillSpector reports in a separate PR comment job with comment permissions',
 );

+const commentJob = workflow.match(/[ ]{2}comment-skillspector-report:[\s\S]*?\n[ ]{2}[a-z][^:\n]*:/)?.[0] || "";
+assert.doesNotMatch(
+  commentJob,
+  /pull-requests: write/,
+  'SkillSpector PR comment publishing should not request redundant pull-requests write permissions',
+);
+
 assert.match(
  workflow,
  /comment-skillspector-report:[\s\S]*if: always\(\) && github\.event_name == 'pull_request' && needs\.release\.result != 'cancelled'[\s\S]*Download SkillSpector reports[\s\S]*continue-on-error: true/,
  'SkillSpector PR comments must still run when the release dry-run produced reports but the release job failed later',
 );

+assert.match(
+  workflow,
+  /Comment SkillSpector reports[\s\S]*continue-on-error: true[\s\S]*actions\/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9\.0\.0/,
+  'SkillSpector PR comment publishing must not fail the release dry-run check',
+);
+
 assert.match(
  workflow,
  /function sanitizeReportForComment\(report\)[\s\S]*code block omitted from PR comment[\s\S]*inline snippet omitted[\s\S]*redacted-email[\s\S]*redacted-token/,
@@ -140,16 +140,16 @@ writeFileSync(process.argv[outputIndex + 1], "# Fake SkillSpector Report\\n\\nNo
  await runSimulation({
    skillDir: "skills/clawsec-suite",
    outputDir: path.join(tempRoot, "stable"),
-    expectedOriginal: "0.1.10",
-    expectedSimulated: "0.1.11",
+    expectedOriginal: "0.1.11",
+    expectedSimulated: "0.1.12",
    expectedAgent: "openclaw",
  });

  await runSimulation({
    skillDir: "skills/hermes-traffic-guardian",
    outputDir: path.join(tempRoot, "beta"),
-    expectedOriginal: "0.0.1-beta3",
-    expectedSimulated: "0.0.1-beta4",
+    expectedOriginal: "0.0.1-beta4",
+    expectedSimulated: "0.0.1-beta5",
    expectedAgent: "hermes-agent",
  });

@@ -25,7 +25,7 @@ function runTrustPacket(skillDir, targetDir, tag) {
 }

 try {
-  const result = runTrustPacket("skills/clawsec-suite", outputDir, "clawsec-suite-v0.1.10");
+  const result = runTrustPacket("skills/clawsec-suite", outputDir, "clawsec-suite-v0.1.11");

  assert.equal(
    result.status,
@@ -41,10 +41,10 @@ try {
  assert.match(skillCard, /## License\/Terms of Use/);
  assert.match(skillCard, /AGPL-3\.0-or-later/);
  assert.match(skillCard, /skillspector-report\.md/);
-  assert.match(skillCard, /clawsec-suite-v0\.1\.10/);
+  assert.match(skillCard, /clawsec-suite-v0\.1\.11/);

  assert.equal(permissions.skill, "clawsec-suite");
-  assert.equal(permissions.version, "0.1.10");
+  assert.equal(permissions.version, "0.1.11");
  assert.equal(permissions.platform, "openclaw");
  assert.deepEqual(
    permissions.required_binaries,
@@ -62,7 +62,7 @@ try {
  const hermesResult = runTrustPacket(
    "skills/hermes-attestation-guardian",
    hermesOutputDir,
-    "hermes-attestation-guardian-v0.1.4",
+    "hermes-attestation-guardian-v0.1.5",
  );
  assert.equal(
    hermesResult.status,
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.7] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.6] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: clawsec-clawhub-checker
-version: 0.0.6
+version: 0.0.7
 description: ClawHub reputation checker for clawsec-suite. Adds a standalone reputation gate before guarded skill installation.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-clawhub-checker",
-  "version": "0.0.6",
+  "version": "0.0.7",
  "description": "ClawHub reputation checker for clawsec-suite. Adds a standalone reputation gate before guarded skill installation.",
  "author": "abutbul",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.10] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.9] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: clawsec-feed
-version: 0.0.9
+version: 0.0.10
 description: Security advisory feed package for OpenClaw-related threats and vulnerabilities. The upstream feed is updated daily; local automation is handled by clawsec-suite or the operator.
 homepage: https://clawsec.prompt.security
 metadata: {"openclaw":{"emoji":"📡","category":"security"}}
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-feed",
-  "version": "0.0.9",
+  "version": "0.0.10",
  "description": "Security advisory feed monitoring for AI agents. Subscribe to community-driven threat intelligence.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.9] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.8] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: clawsec-nanoclaw
-version: 0.0.8
+version: 0.0.9
 description: Use when checking for security vulnerabilities in NanoClaw skills, before installing new skills, or when asked about security advisories affecting the bot
 ---

@@ -1,6 +1,6 @@
 {
  "name": "clawsec-nanoclaw",
-  "version": "0.0.8",
+  "version": "0.0.9",
  "description": "ClawSec security suite for NanoClaw - Advisory feed monitoring, MCP tools for vulnerability checking, and Ed25519 signature verification for containerized WhatsApp bot agents",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.6] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.5] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: clawsec-scanner
-version: 0.0.5
+version: 0.0.6
 description: Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific static hook inspection for OpenClaw hooks.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-scanner",
-  "version": "0.0.5",
+  "version": "0.0.6",
  "description": "Automated vulnerability scanner for agent platforms. Performs dependency scanning (npm audit, pip-audit), multi-database CVE lookup (OSV, NVD, GitHub Advisory), SAST analysis (Semgrep, Bandit), and agent-specific static hook inspection for OpenClaw hooks.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.1.11] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.1.10] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: clawsec-suite
-version: 0.1.10
+version: 0.1.11
 description: ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.
 homepage: https://clawsec.prompt.security
 clawdis:
@@ -1,6 +1,6 @@
 {
  "name": "clawsec-suite",
-  "version": "0.1.10",
+  "version": "0.1.11",
  "description": "ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup for additional security skills.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.8] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.7] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: clawtributor
-version: 0.0.7
+version: 0.0.8
 description: Harness-neutral community incident reporting for AI agents. Contribute to collective security by reporting threats.
 homepage: https://clawsec.prompt.security
 platforms:
@@ -1,6 +1,6 @@
 {
  "name": "clawtributor",
-  "version": "0.0.7",
+  "version": "0.0.8",
  "description": "Harness-neutral community incident reporting for AI agents. Contribute to collective security by reporting threats.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.1.5] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.1.4] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: hermes-attestation-guardian
-version: 0.1.4
+version: 0.1.5
 description: Hermes-only runtime security attestation and drift detection skill for operator-managed Hermes infrastructure.
 homepage: https://clawsec.prompt.security
 hermes:
@@ -31,7 +31,7 @@ For standalone installs, verify the signed release manifest before trusting `SKI
 set -euo pipefail

 SKILL_NAME="hermes-attestation-guardian"
-VERSION="0.1.4"
+VERSION="0.1.5"
 REPO="prompt-security/clawsec"
 TAG="${SKILL_NAME}-v${VERSION}"
 BASE="https://github.com/${REPO}/releases/download/${TAG}"
@@ -1,6 +1,6 @@
 {
  "name": "hermes-attestation-guardian",
-  "version": "0.1.4",
+  "version": "0.1.5",
  "description": "Hermes-only runtime security attestation and drift detection skill. Generates deterministic posture artifacts, verifies integrity fail-closed, and classifies baseline drift severity.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: hermes-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta4
 description: Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -1,6 +1,6 @@
 {
  "name": "hermes-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta4",
  "description": "Hermes runtime traffic monitoring baseline for opt-in proxy inspection, egress detection, and attestation-aware traffic posture.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: nanoclaw-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta4
 description: NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -1,6 +1,6 @@
 {
  "name": "nanoclaw-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta4",
  "description": "NanoClaw runtime traffic monitoring baseline for host-side proxy inspection with container-safe MCP and IPC status surfaces.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.1.8] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.1.7] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: openclaw-audit-watchdog
-version: 0.1.7
+version: 0.1.8
 description: Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Runs deep audits, creates or updates a recurring cron job, and sends formatted reports to configured recipients.
 homepage: https://clawsec.prompt.security
 metadata:
@@ -1,6 +1,6 @@
 {
  "name": "openclaw-audit-watchdog",
-  "version": "0.1.7",
+  "version": "0.1.8",
  "description": "Automated daily security audits for OpenClaw agents with DM delivery and optional email reporting. Creates or updates an unattended cron job and sends formatted reports to configured recipients.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10

 ### Security
@@ -1,6 +1,6 @@
 ---
 name: openclaw-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta4
 description: OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -1,6 +1,6 @@
 {
  "name": "openclaw-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta4",
  "description": "OpenClaw runtime traffic monitoring baseline for opt-in HTTP/HTTPS proxy inspection, egress detection, inbound injection detection, and social-account policy review.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.5] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.4] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: picoclaw-security-guardian
-version: 0.0.4
+version: 0.0.5
 description: Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -1,6 +1,6 @@
 {
  "name": "picoclaw-security-guardian",
-  "version": "0.0.4",
+  "version": "0.0.5",
  "description": "Picoclaw security posture skill with advisory awareness, configuration drift detection, and supply-chain verification guidance.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.3] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: picoclaw-self-pen-testing
-version: 0.0.3
+version: 0.0.4
 description: Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -1,6 +1,6 @@
 {
  "name": "picoclaw-self-pen-testing",
-  "version": "0.0.3",
+  "version": "0.0.4",
  "description": "Picoclaw-only local posture-review skill focused on read-only findings and safe operator remediation guidance.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.1-beta4] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.1-beta3] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: picoclaw-traffic-guardian
-version: 0.0.1-beta3
+version: 0.0.1-beta4
 description: Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.
 homepage: https://clawsec.prompt.security
 author: prompt-security
@@ -1,6 +1,6 @@
 {
  "name": "picoclaw-traffic-guardian",
-  "version": "0.0.1-beta3",
+  "version": "0.0.1-beta4",
  "description": "Picoclaw runtime traffic monitoring baseline for lightweight AI gateway proxy inspection, egress detection, and posture integration.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
@@ -1,5 +1,11 @@
 # Changelog

+## [0.0.8] - 2026-06-22
+
+### Changed
+
+- Re-released skill metadata to publish through the updated ClawHub pipeline without runtime changes.
+
 ## [0.0.7] - 2026-06-10

 ### Changed
@@ -1,6 +1,6 @@
 ---
 name: soul-guardian
-version: 0.0.7
+version: 0.0.8
 description: Drift detection + baseline integrity guard for agent workspace files with automatic alerting support
 homepage: https://clawsec.prompt.security
 metadata: {"openclaw":{"emoji":"👻","category":"security"}}
@@ -1,6 +1,6 @@
 {
  "name": "soul-guardian",
-  "version": "0.0.7",
+  "version": "0.0.8",
  "description": "Drift detection and baseline integrity guard for agent workspace prompt files. Auto-restore critical files with tamper-evident audit logging.",
  "author": "prompt-security",
  "license": "AGPL-3.0-or-later",
Author	SHA1	Message	Date
David Abutbul	bd6403073e	fix(release): resolve metadata review comments	2026-06-23 00:24:51 +03:00
David Abutbul	6d155d747b	fix(release): keep skillspector PR comments non-blocking	2026-06-23 00:17:44 +03:00
David Abutbul	0f79f45405	chore(release): bump skill metadata for republish	2026-06-23 00:12:24 +03:00