v5.12.7 — ClawHub bundle hygiene: comment.txt leak fixed + clawhub:check guard

This release fixes the root cause behind the recurring NVIDIA SkillSpector findings on ClawHub and adds an automated guard so the same class of issue is caught before publishing — not after.

What's changed

This release fixes the root cause behind the recurring NVIDIA SkillSpector findings on ClawHub and adds an automated guard so the same class of issue is caught before publishing — not after.

Security

• Recurring SkillSpector finding fixed at the source. The repeating Description-Behavior Mismatch / Context-Inappropriate Capability findings against McpStreamableServer were caused by comment.txt (a draft GitHub-issue note describing the optional HTTP MCP server and its 22 tools) being bundled into the published ClawHub skill. The v5.12.4 attempt to exclude it added the file to .clawignore, but the ClawHub CLI honours .clawhubignore — not .clawignore, and not .gitignore. The exclusion has been moved to the correct file.
• Additional bundle leaks closed, including scripts/.js, four newer docs, glama.json / Dockerfile / .mcp.json / tsconfig.esm.json, several stray directories, and — most importantly — data/ (audit log, grant tokens, signing key), .env, .env. and *.log.

Added

• scripts/clawhub-check.js + npm run clawhub:check — a bundle-hygiene guard that parses .clawhubignore, replicates the exclusion ClawHub applies, and asserts the surviving file set equals the intended Python-skill allowlist. It hard-fails on secrets/logs and on any unexpected file or directory. On its first run it immediately caught data/ leaking into the bundle.

Changed

• SKILL.md — the two McpStreamableServer SkillSpector rows are now marked Resolved with the real root cause and the new guard documented as the durable control.
• RELEASING.md — Step 9 now runs npm run clawhub:check and requires a PASS before clawhub publish.
• Version bump 5.12.6 → 5.12.7.

Full changelog: https://github.com/Jovancoding/Network-AI/blob/main/CHANGELOG.md