PR #40: release(v1.2.3): exclude tests from ClawHub archive

• Repository: getaxonflow/axonflow-openclaw-plugin
• Author: saurabhjain1592
• State: closed | merged: True
• Link: https://github.com/getaxonflow/axonflow-openclaw-plugin/pull/40

Description (problem / solution / changelog)

Summary

Ships v1.2.3 to unblock `openclaw plugins install @axonflow/openclaw` on the just-released OpenClaw 2026.4.14, where our unit tests were triggering the install-time scanner.

Background

OpenClaw 2026.4.14 (released April 15 UTC) landed two relevant changes:

1. Fixed scoped-package ENOENT bug (openclaw/openclaw#66618) — the bug we filed yesterday. Users on 2026.4.14+ can now use the primary install command without the `npm pack` workaround.
2. Install scanner upgraded from warn → block on files that combine `process.env.X` access with `fetch()` calls. Our `tests/telemetry.test.ts` mocks both for opt-out coverage, which the scanner treats as "possible credential harvesting" and blocks installation. Filed upstream: openclaw/openclaw#66840.

Change

New `.clawhubignore` (gitignore-syntax, natively supported by `clawhub package publish`) excludes: `tests/`, `tests/`, `.{test,spec}.{ts,js}`, `src/`, `scripts/`, `.github/`, `tsconfig.json`, `jest.config.`, `.eslintrc`, `.prettierrc*`, `coverage/`, `.tgz`, `dist/**/.map`.

Runtime artifacts that still ship to ClawHub: `dist/`, `openclaw.plugin.json`, `policies/`, `package.json`, `README.md`, `CHANGELOG.md`, `LICENSE`.

Verification (local, against OpenClaw 2026.4.14)

• `npm test` — 107/107 passing
• `npm pack` tgz contains no test files
• `openclaw plugins install ./axonflow-openclaw-1.2.3.tgz` installs cleanly with no warnings or blocks
• Plugin loads and connects to AxonFlow correctly

Test plan

• CI green
• After merge + tag v1.2.3, verify `openclaw plugins install @axonflow/openclaw` works end-to-end via ClawHub on 2026.4.14

Changed files

• .clawhubignore (added, +77/-0)
• CHANGELOG.md (modified, +9/-0)
• clawhub/1.4.0/SKILL.md (modified, +1/-14)
• package.json (modified, +1/-1)
• src/index.ts (modified, +1/-1)

---

PR #66854: fix: skip test files in install security scanner

• Repository: openclaw/openclaw
• Author: nightq
• State: closed | merged: False
• Link: https://github.com/openclaw/openclaw/pull/66854

Description (problem / solution / changelog)

Summary

Skip test files during the install-time security scan to prevent false positives from standard unit-testing patterns.

Root Cause

The install-time static scanner flags test files containing process.env.X + fetch() patterns as dangerous code (possible credential harvesting). This is a standard unit-testing pattern for code that reads environment variables and makes HTTP calls (telemetry opt-out, feature flags, auth token refresh, etc.). The scanner treats this test-file co-location as equivalent to a runtime exfiltration vector.

Fix

Added isTestFile() helper that filters out files matching test patterns from the scanner:

• tests/ and test/ directories
• __tests__/ directories
• *.test.{ts,js,mts,mjs,cts,cjs,tsx,jsx} files
• *.spec.{ts,js,mts,mjs,cts,cjs,tsx,jsx} files

The filter applies to both forced files (--include) and walked files during directory traversal.

Test Plan

• Install a plugin with test files containing env+fetch mocks — should no longer be blocked
• Install a plugin with actual dangerous code in source files — should still be blocked
• Existing scanner tests pass

Closes openclaw#66840

Changed files

• src/security/skill-scanner.ts (modified, +17/-1)

---

PR #67050: fix: skip test files and directories in install security scanner

• Repository: openclaw/openclaw
• Author: Magicray1217
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/67050

Description (problem / solution / changelog)

Summary

The install-time security scanner blocks plugins that ship unit tests containing process.env access + fetch() calls in the same file. This is a standard unit-testing pattern (mocking env vars and network for telemetry opt-out tests, feature flag tests, etc.) and triggers false-positive "credential harvesting" findings.

Changes

In walkDirWithLimit (src/security/skill-scanner.ts):

• Skip common test directories: tests/, __tests__/, test/, __mocks__/, __fixtures__/
• Skip test file patterns: *.test.*, *.spec.*, *.mock.*

These files are never loaded at plugin runtime and should not be scanned for security threats.

Impact

Plugins like @axonflow/openclaw that include test files in their ClawHub archive will no longer be blocked during installation due to false-positive security findings from test mocks.

Fixes #66840

Changed files

• src/security/skill-scanner.ts (modified, +20/-0)