v4.0.4 — ReDoS guard + skill.json resource name sync #50

Jovancoding · 2026-02-26T15:15:20Z

Jovancoding
Feb 26, 2026
Maintainer

ReDoS guard (adapters/adapter-registry.ts): user-controlled new RegExp() calls in matchPattern() are now validated before construction — nested quantifiers and patterns >200 chars are rejected, eliminating a potential ReDoS vector (pre-empts CodeQL flag)
skill.json resource names aligned with scripts/check_permission.py: SAP_API → DATABASE, FINANCIAL_API → PAYMENTS, EXTERNAL_SERVICE → EMAIL, DATA_EXPORT → FILE_EXPORT — fixes stale enum values that were never wired to the actual scripts

Patched ClawHub CLI local timeout (15 s → 120 s) so the publish response is received reliably

Version	Fix
v4.0.1	ClawHub re-publish bump
v4.0.2	CodeQL #79 ReDoS (`/\/+$/`), #80 unused import (`ParallelLimitError`), #81 unused import (`BlackboardMCPTools`)
v4.0.3	OpenClaw scan: align SKILL.md + auth-guardian.md resource names
v4.0.4	ReDoS guard in adapter-registry; skill.json enum + version sync

Full changelog: https://github.com/jovanSAPFIONEER/Network-AI/blob/main/CHANGELOG.md

This discussion was created from the release v4.0.4 — ReDoS guard + skill.json resource name sync.