Jovancoding/Network-AI

v5.8.2 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 10d MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

agent-framework agent-orchestration ai-agents autogen blackboard blackboard-architecture

+14 more

crewai hermes hermes-agent langchain llm mcp multi-agent nemoclaw nodejs openclaw orchestration rlm typescript workflow-engine

Affected surfaces

auth rbac

ReleasePort's take

Light signal

editorial:auto 10d

Token exposure in grant listings is now masked and prompt injection execution is blocked (exit 1) unless the `--force` flag is used.

Why it matters: Masking full tokens prevents credential leakage; blocking prompt‑injection by default reduces risk of unauthorized command execution, with an override via `--force` for exceptional cases.

Summary

AI summary

Token exposure in grant listings is masked, prompt injection now blocks execution, and SkillSpector documentation clarifies capabilities.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Token exposure in grant listings fixed; full tokens now masked. Token exposure in grant listings fixed; full tokens now masked. Source: llm_adapter@2026-05-24 Confidence: high	—
Security	Medium	Prompt injection now blocks execution; exit 1 when detected unless `--force` flag used. Prompt injection now blocks execution; exit 1 when detected unless `--force` flag used. Source: llm_adapter@2026-05-24 Confidence: high	—
Feature
Feature	Medium	Added machine‑readable `capabilities` block in SKILL.md listing filesystem, env_vars, shell_exec, tcp_port surfaces. Added machine‑readable `capabilities` block in SKILL.md listing filesystem, env_vars, shell_exec, tcp_port surfaces. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Split `bundle_scope` and `network_calls` into structured sub‑fields for clarity. Split `bundle_scope` and `network_calls` into structured sub‑fields for clarity. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Added explicit `DENY` conditions and scoping rules to `delegate_task` and `spawn_parallel_agents` in claude-tools.json. Added explicit `DENY` conditions and scoping rules to `delegate_task` and `spawn_parallel_agents` in claude-tools.json. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Updated SECURITY.md and SKILL.md with warnings against using `auto_approve: true` in production. Updated SECURITY.md and SKILL.md with warnings against using `auto_approve: true` in production. Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Documented that justification fields are stored verbatim and must not contain PII, credentials, or secrets in SECURITY.md. Documented that justification fields are stored verbatim and must not contain PII, credentials, or secrets in SECURITY.md. Source: llm_adapter@2026-05-24 Confidence: low	—

Full changelog

Network-AI v5.8.2 — Security & SkillSpector fixes

This patch resolves 8 findings from the ClawHub SkillSpector v5.8.1 scan, including two security fixes.

Security fixes

Token exposure in grant listings (Ssd3, 98% confidence)
scripts/check_permission.py --active-grants --json previously included a token_full field with the live grant token in every listing entry. Full tokens are now only shown at issuance time. All listing output uses the masked prefix (token[:16] + "...") only. The script header now includes an explicit warning that justification strings are logged verbatim to data/audit_log.jsonl and must not contain PII, credentials, or secrets.

Prompt injection not blocked in context_manager.py (Missing User Warnings, 93% confidence)
context_manager.py inject previously warned to stderr about detected prompt-injection patterns in data/project-context.json but still proceeded to emit the context block. Injection is now blocked (exit 1) when _validate_context() returns warnings. A new --force flag allows operators to override in explicitly trusted/CI environments. This prevents adversarially-crafted context entries from persisting across agent sessions.

Metadata / documentation fixes

SKILL.md — explicit capabilities manifest (Lp3, 90%): Added a machine-readable capabilities block under metadata.openclaw declaring filesystem, env_vars, shell_exec, and tcp_port surfaces, scope, and conditions.
SKILL.md — scope ambiguity resolved (Mismatch Medium/High, 92%/89%): bundle_scope and network_calls split from single prose strings into structured sub-fields: clawhub_python_scripts (local-only, zero network) vs npm_full_package (TypeScript library + CLI + optional MCP SSE server). Operators can now unambiguously determine what ClawHub ships vs what npm install delivers.
claude-tools.json — vague trigger conditions (Vague Triggers, 83%): Added explicit DENY conditions and scoping rules to delegate_task and spawn_parallel_agents describing when the tools must not be invoked.
SECURITY.md — auto-approve warning (Excessive Agency, 78%): ApprovalGate entry updated to explicitly warn that auto_approve: true is only appropriate in isolated CI/dev sandboxes and must never be used in production. Also added to SKILL.md privacy.auto_approve_warning.
SECURITY.md — justification field sensitivity (Ssd3, 94%): SecureAuditLogger table entry now documents that justification fields are stored verbatim and must not contain PII, credentials, or secrets.

Files changed

scripts/check_permission.py, scripts/context_manager.py, SKILL.md, claude-tools.json, SECURITY.md, .github/SECURITY.md, CHANGELOG.md, package.json, skill.json, openapi.yaml, README.md, and all version-bearing doc files.

Security Fixes

Token exposure: Full token removed from grant listings; only masked prefix shown (`token[:16] + "..."`). Header warns audit_log.jsonl logs justification strings verbatim.
Prompt injection: `context_manager.py inject` now exits with code 1 on detected patterns and blocks context emission. Added `--force` flag for CI/trusted environments.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Jovancoding/Network-AI

Get notified when new releases ship.

About Jovancoding/Network-AI

Multi-agent orchestration MCP server with race-condition-safe shared blackboard. 20+ MCP tools: blackboard read/write, agent spawn/stop, FSM transitions, budget tracking, token management, and audit log query. `npx network-ai-server --port 3001`.

All releases →