network-ai 5.4.2 → 5.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/INTEGRATION_GUIDE.md +1 -1
  2. package/README.md +4 -3
  3. package/SKILL.md +11 -0
  4. package/package.json +1 -1
package/INTEGRATION_GUIDE.md CHANGED
@@ -564,4 +564,4 @@ Run these before declaring the integration production-ready:
564
564
 
565
565
  ---
566
566
 
567
- *Network-AI v5.4.2 · MIT License · https://github.com/Jovancoding/Network-AI*
567
+ *Network-AI v5.4.3 · MIT License · https://github.com/Jovancoding/Network-AI*
package/README.md CHANGED
@@ -5,7 +5,7 @@
5
5
  [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
6
6
  [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
7
7
  [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
8
- [![Release](https://img.shields.io/badge/release-v5.4.2-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
8
+ [![Release](https://img.shields.io/badge/release-v5.4.3-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
9
9
  [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
10
10
  [![Tests](https://img.shields.io/badge/tests-2976%20passing-brightgreen.svg)](#testing)
11
11
  [![Adapters](https://img.shields.io/badge/frameworks-29%20supported-blueviolet.svg)](#adapter-system)
@@ -472,11 +472,12 @@ npm run test:phase12 # Context Throttler, Partition Planner, Coverage Gate,
472
472
  | [QUICKSTART.md](QUICKSTART.md) | Installation, first run, CLI reference, PowerShell guide, Python scripts CLI |
473
473
  | [ARCHITECTURE.md](ARCHITECTURE.md) | Race condition problem, FSM design, handoff protocol, module inventory, project structure |
474
474
  | [BENCHMARKS.md](BENCHMARKS.md) | Provider performance, rate limits, local GPU, `max_completion_tokens` guide |
475
- | [SECURITY.md](SECURITY.md) | Security module, permission system, trust levels, audit trail, v5.0 security additions |
475
+ | [SECURITY.md](SECURITY.md) | Security module, permission system, trust levels, audit trail, v5.0 security additions, ClawHub scan findings |
476
476
  | [ENTERPRISE.md](ENTERPRISE.md) | Evaluation checklist, stability policy, security summary, integration entry points |
477
477
  | [AUDIT_LOG_SCHEMA.md](AUDIT_LOG_SCHEMA.md) | Audit log field reference, all event types, scoring formula |
478
478
  | [ADOPTERS.md](ADOPTERS.md) | Known adopters — open a PR to add yourself |
479
479
  | [INTEGRATION_GUIDE.md](INTEGRATION_GUIDE.md) | End-to-end integration walkthrough with v5.0 modules |
480
+ | [SKILL.md](SKILL.md) | OpenClaw/ClawHub Python skill — setup, orchestrator protocol, security scan findings |
480
481
  | [references/adapter-system.md](references/adapter-system.md) | Adapter architecture, all 29 adapters, writing custom adapters |
481
482
  | [references/auth-guardian.md](references/auth-guardian.md) | Permission scoring, resource types, IAuthValidator interface |
482
483
  | [references/trust-levels.md](references/trust-levels.md) | Trust level configuration, APS delegation-chain mapping |
@@ -523,7 +524,7 @@ Join our Discord server to discuss multi-agent AI coordination, get help, and sh
523
524
 
524
525
  ---
525
526
 
526
- MIT License — [LICENSE](LICENSE)  ·  [CHANGELOG](CHANGELOG.md)  ·  [CONTRIBUTING](CONTRIBUTING.md)  ·  [![RSS](https://img.shields.io/badge/RSS-releases-orange?logo=rss)](https://github.com/Jovancoding/Network-AI/releases.atom)
527
+ MIT License — [LICENSE](LICENSE)  ·  [CHANGELOG](CHANGELOG.md)  ·  [CONTRIBUTING](CONTRIBUTING.md)  ·  [Code of Conduct](CODE_OF_CONDUCT.md)  ·  [Security Policy](SECURITY.md)  ·  [![RSS](https://img.shields.io/badge/RSS-releases-orange?logo=rss)](https://github.com/Jovancoding/Network-AI/releases.atom)
527
528
 
528
529
  <details>
529
530
  <summary>Keywords</summary>
package/SKILL.md CHANGED
@@ -703,6 +703,17 @@ python {baseDir}/scripts/swarm_guard.py supervisor-review --task-id "task_001"
703
703
  - Run `sessions_list` (OpenClaw platform built-in) to see available sessions
704
704
  - Session may need to be started first
705
705
 
706
+ ## Security Scan Findings (ClawHub)
707
+
708
+ This skill is scanned on every publish. The following Notes are flagged by design and will recur on every scan. They are acknowledged and mitigated with documented controls — they are not bugs or vulnerabilities.
709
+
710
+ | Finding | Confidence | Why it recurs | Documented control |
711
+ |---------|------------|---------------|--------------------|
712
+ | **ASI01** Agent Goal Hijack | High | Orchestrator skill forces 3-sub-task decomposition by design | Use this skill only when multi-agent orchestration is desired; disable for simple one-shot tasks |
713
+ | **ASI03** Identity and Privilege Abuse | High | Grant tokens are advisory only — caller identity is not cryptographically verified | Tokens are explicitly marked advisory in SKILL.md and source; require separate platform auth and human approval before any real database, payment, email, or export action |
714
+ | **ASI06** Memory and Context Poisoning | High | Persistent `data/project-context.json` is injected into agent sessions by design | `_validate_context()` runs injection-pattern detection before every inject; do not store secrets/credentials; review `data/project-context.json` before use; clear `data/` between projects |
715
+ | **ASI07** Insecure Inter-Agent Communication | Medium | Skill delegates work but inter-agent messaging is handled by the host platform | SKILL.md explicitly documents that `sessions_send` and all inter-agent messaging are the host platform's responsibility; configure host platform network settings before use with sensitive tasks |
716
+
706
717
  ## References
707
718
 
708
719
  This skill is part of the larger [Network-AI](https://github.com/Jovancoding/Network-AI) project. See the repository for full documentation on the permission system, blackboard schema, and trust-level calculations.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "network-ai",
3
- "version": "5.4.2",
3
+ "version": "5.4.3",
4
4
  "description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
5
5
  "homepage": "https://network-ai.org",
6
6
  "main": "dist/index.js",