This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+14 more
ReleasePort's take
Light signalReleasePort Layer 1 v5.8.1 corrects SKILL.md frontmatter, updates THREAT_MODEL.md clarifications, and revises swarm_guard.py I/O headers.
Why it matters: Fixing documentation mismatches resolves SkillSpector findings that could mislead developers and security analysts about package scopes, cloud service boundaries, and file handling.
Summary
AI summaryFixed documentation mismatches and script I/O descriptions to resolve SkillSpector findings.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Bugfix | Medium |
Updates THREAT_MODEL.md to clarify that there is no SaaS/cloud-hosted service and notes the optional MCP SSE server as a network boundary. Updates THREAT_MODEL.md to clarify that there is no SaaS/cloud-hosted service and notes the optional MCP SSE server as a network boundary. Source: llm_adapter@2026-05-24 Confidence: high |
— |
| Bugfix | Medium |
Updates scripts/swarm_guard.py I/O header to list actual files written and document data directory handling. Updates scripts/swarm_guard.py I/O header to list actual files written and document data directory handling. Source: llm_adapter@2026-05-24 Confidence: high |
— |
| Bugfix | Medium |
Corrects SKILL.md frontmatter to accurately describe Python and npm package scopes and network behavior. Corrects SKILL.md frontmatter to accurately describe Python and npm package scopes and network behavior. Source: llm_adapter@2026-05-24 Confidence: low |
— |
| Bugfix | Medium |
Corrects SKILL.md frontmatter to accurately describe Python script scope (local‑only, stdlib‑only, no network) and npm package components (TypeScript modules, CLI, optional MCP SSE server). Corrects SKILL.md frontmatter to accurately describe Python script scope (local‑only, stdlib‑only, no network) and npm package components (TypeScript modules, CLI, optional MCP SSE server). Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
Full changelog
What's changed
Fixed
SKILL.mdfrontmatter (bundle_scope/network_calls) — Fields now accurately describe both scopes: Python scripts are local-only, stdlib-only, zero network calls; the full npm package also includes TypeScript modules, a CLI, and an optional self-hosted MCP SSE server that binds a TCP port when explicitly started by the operator and requires a non-empty bearer-token secret. Resolves ClawHub SkillSpector High findings (Intent-Code Divergence, Description-Behavior Mismatch).THREAT_MODEL.md— "There is no hosted service" replaced with "There is no SaaS or cloud-hosted service" with an explicit callout that the optional MCP SSE server is a network-reachable service boundary when started by the operator. Resolves SkillSpector Medium finding (Intent-Code Divergence).scripts/swarm_guard.pyI/O header — READS/WRITES comment updated to list all files actually written (task_tracking.json,agent_health.json,budget_tracking.json) and to document that the base data directory isdata/ordata/<env>/whenNETWORK_AI_ENV/--envis set. Resolves SkillSpector Medium findings (Description-Behavior Mismatch, Intent-Code Divergence).
Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md
Security Fixes
- Updated THREAT_MODEL.md to clarify that the optional MCP SSE server is a network‑reachable service boundary when started by the operator, resolving an Intent-Code Divergence finding.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Jovancoding/Network-AI
Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.
Related context
Beta — feedback welcome: [email protected]