This release includes 2 breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+14 more
Affected surfaces
ReleasePort's take
Light signalVersion v2.4.16 eliminates direct account‑funding and checkout language from skill documentation, marketplace descriptors, and related type references.
Why it matters: Affects developers and SREs maintaining skill integrations; update all documentation and schema references before the June 5 release to avoid mismatched expectations.
Summary
AI summaryRemoves direct account‑funding and checkout wording from skill docs, clarifies credit balance access, removes stale top‑up fields, and adds guard coverage.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Deprecation | Medium |
Removes direct account-funding, checkout, MPP, and pay-per-use capability wording from skill-facing docs and marketplace descriptors. Removes direct account-funding, checkout, MPP, and pay-per-use capability wording from skill-facing docs and marketplace descriptors. Source: llm_adapter@2026-06-05 Confidence: high |
— |
| Deprecation | Medium |
Removes stale top-up fields from public type references and changes task-guide metadata to cost confirmation. Removes stale top-up fields from public type references and changes task-guide metadata to cost confirmation. Source: llm_adapter@2026-06-05 Confidence: high |
— |
| Refactor | Low |
Adds guard coverage for the Codex plugin version surface and forbidden stale trust‑audit phrases. Adds guard coverage for the Codex plugin version surface and forbidden stale trust‑audit phrases. Source: llm_adapter@2026-06-05 Confidence: low |
— |
| Refactor | Low |
Clarifies that installable skills can read credit balance and estimate usage costs, while plan and credit changes remain dashboard-only. Clarifies that installable skills can read credit balance and estimate usage costs, while plan and credit changes remain dashboard-only. Source: granite4.1:30b@2026-06-05-audit Confidence: low |
— |
Full changelog
Security audit surface cleanup for Skills.sh trust scans.\n\n- Removes direct account-funding, checkout, MPP, and pay-per-use capability wording from skill-facing docs and marketplace descriptors.\n- Clarifies that the installable skill can read credit balance and estimate usage costs, while plan and credit changes remain dashboard-only.\n- Removes stale top-up fields from public type references and changes task-guide metadata to cost confirmation.\n- Adds guard coverage for the Codex plugin version surface and forbidden stale trust-audit phrases.\n\nValidation:\n- node scripts/check-versions.mjs\n- npm pack --dry-run --json\n- git diff --check\n- focused stale-term scan for prior Skills.sh findings
Breaking Changes
- Removes direct account‑funding, checkout, MPP, and pay‑per‑use capability wording from skill‑facing docs and marketplace descriptors
- Removes stale top‑up fields from public type references
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Xquik-dev/x-twitter-scraper
Remote X (Twitter) MCP server with 121 endpoints via 2 tools. Post tweets, reply, like, retweet, follow, DM, search, extract data, run giveaways, and monitor accounts. StreamableHTTP at xquik.com/mcp with API key auth.
Related context
Beta — feedback welcome: [email protected]