v5.12.4 - SkillSpector triage & Socket.dev scan gap
v5.12.4 — SkillSpector triage, SKILL.md trigger hardening, Socket.dev scan gap
A hardening and triage release targeting ClawHub SkillSpector findings from v5.12.3 and a Socket.dev scan gap in the dual CJS+ESM build. No breaking changes; all 3,269 tests across 33 suites pass.
Security
- SkillSpector findings resolved. Added
.clawignoreto excludecomment.txtfrom ClawHub packages — the file (an in-progress draft note) was inadvertently included in 5.12.3 viaclawhub publish .and its McpStreamableServer bridge-pattern description triggered Description-Behavior Mismatch (High, 93%) and Context-Inappropriate Capability (Medium, 88%) findings. - SKILL.md trigger hardening. Replaced the broad "When to Use This Skill" bullet list with explicit Use/Do-NOT-Use sections, resolving Vague Triggers (Medium, 81%). Shell execution, agent spawning, and MCP server startup are now explicitly called out as out-of-scope for the Python skill bundle.
Changed
- Socket.dev triage gap closed. Added 9 missing entries from the 5.12.3 scan: declaration-file false positives (
dist/adapters/a2a-adapter.d.ts,dist/lib/approval-inbox.d.ts), three ESM adapter mirrors (aps-adapter.js,hermes-adapter.js,rlm-adapter.js), and four shell-access entries for example and bootstrap scripts. networkAccess 59 → 64, shellAccess 6 → 10.
Install
npm install network-ai@5.12.4