mirror of
https://github.com/prompt-security/clawsec.git
synced 2026-06-14 05:51:21 +03:00
David Abutbul
f76824bdb6
Scorecard flags the skill-release workflow's npm install of the clawhub CLI (code-scanning alerts #25/#26): version pinning alone carries no integrity guarantee. Install it with npm ci from a committed package-lock.json instead, so every package (clawhub + 35 transitive deps) is verified against its sha512 hash at install time. The publish-payload patch step now resolves the module from the local node_modules instead of npm root -g. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>