AetherCore v3.3
v3.3.4AetherCore v3.3.4 - Security-focused final release. High-performance JSON optimization with universal smart indexing for all file types. All security review...
⭐ 1· 274·0 current·0 all-time
byAetherClaw@aetherclawai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (JSON optimization, indexing, compaction) match the included Python CLI, tests, and install script. Declared dependency set (orjson) is minimal and appropriate. Minor oddity: required binaries list includes curl (and git) though provided install.sh and runtime primarily use python3 and git; curl is not used in the visible scripts.
Instruction Scope
SKILL.md and other docs explicitly restrict file access to user-specified paths and warn not to point the tool at sensitive system/credential directories. The runtime commands (python3 scripts) and tests operate on files and sample data. That scope is appropriate, but the repository contains indexing/loader modules (large omitted files) that should be audited to confirm they only operate on explicit paths and do not perform unexpected automatic scanning or network activity.
Install Mechanism
There is no remote install that pulls arbitrary code at runtime; install.sh installs local requirements from requirements.txt (orjson) and runs bundled tests. The scripts claim 'no remote downloads' and the package is provided as source. Slight inconsistency: README/INSTALL examples use git clone from a non-standard domain (https://clawhub.ai/aethercore) rather than a widely-known hosting provider, which is not inherently malicious but worth noting.
Credentials
The skill declares no required environment variables or credentials. The code and install scripts shown do not request secrets or tokens. This is proportionate to the stated functionality.
Persistence & Privilege
always is false and openclaw metadata shows auto_enable/auto_load false. The skill does not request permanent/privileged presence or modify other skills' configurations in the supplied manifests. Autonomous invocation is allowed (platform default) but not combined with broad privileges here.
Assessment
This package appears to be what it says: a local Python JSON/indexing tool that only needs orjson and Python. Before installing or running it on sensitive systems: 1) Inspect the omitted core engine files (src/core/json_performance_engine.py, smart_file_loader_v2, smart_index_engine, index_manager, auto_compaction_system) for any directory-walking, network or subprocess calls, and ensure they require explicit user-supplied paths. 2) Be aware the repo includes a VERIFY_SECURITY_CLAIMS.sh script that uses simple grep checks — these are brittle and can miss dynamic imports or alternative network libraries (e.g., http.client, urllib.request, dynamic importlib usage). 3) Run the install and tests in an isolated environment (container or VM) if you want to be extra safe, and don’t point the tool at system or credential directories. 4) Note the repository URLs reference a custom domain (clawhub.ai) rather than a mainstream code hosting service — verify the origin if provenance matters.Like a lobster shell, security has layers — review code before you run it.
clivk977psd2z07sf4s4xcywsq457982qjf8compactionvk977psd2z07sf4s4xcywsq457982qjf8indexingvk977psd2z07sf4s4xcywsq457982qjf8intelligencevk977psd2z07sf4s4xcywsq457982qjf8jsonvk977psd2z07sf4s4xcywsq457982qjf8latestvk977psd2z07sf4s4xcywsq457982qjf8night-marketvk977psd2z07sf4s4xcywsq457982qjf8optimizationvk977psd2z07sf4s4xcywsq457982qjf8performancevk977psd2z07sf4s4xcywsq457982qjf8production-readyvk977psd2z07sf4s4xcywsq457982qjf8pythonvk977psd2z07sf4s4xcywsq457982qjf8safevk977psd2z07sf4s4xcywsq457982qjf8securityvk977psd2z07sf4s4xcywsq457982qjf8technical-serviceizationvk977psd2z07sf4s4xcywsq457982qjf8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎪 Clawdis
Binspython3, git, curl