v4.11.1 - fix ClawHub scanner: tighten bundle ignore, clarify sessions_send + PII warnings

Author: jovanSAPFIONEER

.clawhubignore

@@ -1,39 +1,62 @@
-# Only ship SKILL.md + supporting scripts + blackboard template
-# Exclude everything else
+# ClawHub bundle: ship only SKILL.md + scripts/*.py + swarm-blackboard.md + requirements.txt
+# Exclude everything else so TypeScript/Node.js docs don't leak into the Python-only skill bundle.
 
-# TypeScript source & build
+# ── TypeScript source & build ──
 *.ts
 dist/
 lib/
 adapters/
 types/
+bin/
 
-# Config & tooling
+# ── Node.js / config ──
 tsconfig.json
 tsconfig.build.json
 package.json
 package-lock.json
 node_modules/
+setup.ts
 
-# Tests
+# ── Tests ──
 test.ts
 test-*.ts
 
-# Docs (not needed for the skill)
+# ── All docs except SKILL.md ──
 README.md
 QUICKSTART.md
 CHANGELOG.md
 LICENSE
 CONTRIBUTING.md
 CODE_OF_CONDUCT.md
 SECURITY.md
+ARCHITECTURE.md
+ENTERPRISE.md
+INTEGRATION_GUIDE.md
+BENCHMARKS.md
+ADOPTERS.md
+AUDIT_LOG_SCHEMA.md
+RELEASING.md
+CLAUDE.md
+CODEX.md
+SHOW_HN.md
+AWESOME_LISTS.md
+claude-project-prompt.md
+
+# ── Reference docs (TypeScript-specific) ──
+references/
+
+# ── OpenAPI / tooling (TypeScript MCP server) ──
+openapi.yaml
+claude-tools.json
 
-# CI/CD
+# ── Examples (TypeScript) ──
+examples/
+
+# ── CI/CD ──
 .github/
 
-# Other
+# ── Misc ──
 .gitignore
 .npmignore
-*.json
-setup.ts
-references/
+err.txt
+socket.json

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to Network-AI will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.11.1] - 2026-03-22
+
+### Fixed
+- **ClawHub scanner: "suspicious" flag** — tightened `.clawhubignore` to exclude all TypeScript docs, OpenAPI spec, examples, and AI instruction files from the Python-only skill bundle; previously 15+ doc files referencing Node.js/TypeScript features leaked into the ClawHub package, causing a doc/bundle mismatch warning
+- **SKILL.md clarity** — added explicit data-flow notice that `sessions_send` is NOT implemented by this skill (host-platform built-in only), added PII warning for justification fields and audit log, expanded `metadata.openclaw` with `sessions_send`, `pii_warning`, and `data_directory` fields
+
 ## [4.11.0] - 2026-03-22
 
 ### Added

README.md

@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v4.11.0-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v4.11.1-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-1684%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-17%20supported-blueviolet.svg)](#adapter-system)

SKILL.md

@@ -5,9 +5,10 @@ metadata:
   openclaw:
     emoji: "\U0001F41D"
     homepage: https://network-ai.org
-    bundle_scope: "Python scripts only (scripts/*.py). All execution is local."
-    network_calls: "none from bundled scripts; platform sessions_send delegations may invoke external models"
-    sessions_ops: "platform-provided"
+    bundle_scope: "Python scripts only (scripts/*.py). All execution is local. No TypeScript, Node.js, adapters, or CLI tools are included in this bundle."
+    network_calls: "none — bundled scripts make zero network calls. The host platform's sessions_send (not part of this skill) may invoke external models."
+    sessions_send: "NOT implemented or invoked by this skill. sessions_send is a host-platform built-in. This skill only provides budget guards that run before the platform delegates."
+    sessions_ops: "platform-provided — outside this skill's control"
     requires:
       bins:
         - python3
@@ -18,11 +19,21 @@ metadata:
         path: data/audit_log.jsonl
         scope: local-only
         description: "Local append-only JSONL file recording operation metadata. No data leaves the machine."
+        pii_warning: "Do not include PII, secrets, or credentials in justification fields. Log entries persist on disk."
+      data_directory:
+        path: data/
+        scope: local-only
+        files: ["audit_log.jsonl", "active_grants.json", "project-context.json"]
+        description: "All persistent state is local-only. No files are transmitted over the network."
 ---
 
 # Swarm Orchestrator Skill
 
-> **Scope:** The bundled Python scripts (`scripts/*.py`) make no network calls, use only the Python standard library, and have zero third-party dependencies. Tokens are UUID-based (`grant_{uuid4().hex}`) stored in `data/active_grants.json`. Audit logging is plain JSONL (`data/audit_log.jsonl`). Workflow delegations that use the host platform's `sessions_send` may invoke external model APIs outside this skill's control.
+> **Scope:** The bundled Python scripts (`scripts/*.py`) make **no network calls**, use only the Python standard library, and have **zero third-party dependencies**. Tokens are UUID-based (`grant_{uuid4().hex}`) stored in `data/active_grants.json`. Audit logging is plain JSONL (`data/audit_log.jsonl`).
+
+> **Data-flow notice:** This skill does NOT implement, invoke, or control `sessions_send`. That is a host-platform built-in (OpenClaw runtime). The orchestration instructions below describe *when* to call the platform's `sessions_send` after budget checks pass — but the actual network call, model endpoint, and data transmission are entirely the host platform's responsibility. If you need to prevent external network calls, disable or reroute `sessions_send` in your platform settings before installing this skill.
+
+> **PII / sensitive-data warning:** The `justification` field in permission requests and the audit log (`data/audit_log.jsonl`) store free-text strings provided by agents. **Do not include PII, secrets, or credentials in justification text.** Consider restricting file permissions on `data/` or running this skill in an isolated workspace.
 
 ## Setup
 
@@ -515,6 +526,8 @@ Sequential processing - output of one feeds into next.
 
 **Every sensitive action MUST be logged to `data/audit_log.jsonl`** to maintain compliance and enable forensic analysis.
 
+> **Privacy note:** Audit log entries contain agent-provided free-text fields (justifications, descriptions). These are stored locally in `data/audit_log.jsonl` and never transmitted over the network by this skill. However, **do not put PII, passwords, or API keys in justification strings** — they persist on disk. Consider periodic log rotation and restricting OS file permissions on the `data/` directory.
+
 ### What Gets Logged Automatically
 
 The scripts automatically log these events:

openapi.yaml

@@ -6,7 +6,7 @@ info:
     blackboard coordination, parallel agent spawning, and permission gating
     via AuthGuardian. Requires the companion MCP server:
     `npm install -g network-ai && npx network-ai-server --port 3001`
-  version: 4.11.0
+  version: 4.11.1
   license:
     name: MIT
     url: https://github.com/Jovancoding/Network-AI/blob/main/LICENSE

package.json

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "4.11.0",
+  "version": "4.11.1",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 17 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",

skill.json

@@ -1,6 +1,6 @@
 {
   "name": "SwarmOrchestrator",
-  "version": "4.11.0",
+  "version": "4.11.1",
   "description": "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. The bundled Python scripts make no network calls and have zero third-party dependencies. Workflow delegations via the host platform's sessions_send may invoke external model APIs.",
   "author": "Network-AI Community",
   "homepage": "https://network-ai.org",