AetherCore v3.3
ReviewAudited by ClawScan on May 10, 2026.
Overview
AetherCore appears to be a disclosed local JSON/indexing tool, but it can read/write user-selected files and create indexes, so use it only on intended data.
This skill looks purpose-aligned and not malicious based on the provided artifacts. Install it in an isolated Python environment, review the dependency install, and only run indexing or compaction on specific folders you trust—preferably with backups if files may be rewritten.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you point the tool at the wrong directory, it may read or modify files you did not intend to process.
The skill intentionally performs local file reads and possible writes, which is aligned with optimization and compaction but could affect the wrong files if broad or sensitive paths are supplied.
commands will read and potentially write to files/directories at the paths you specify
Run it only on trusted, intended files or copies/backups, and avoid system, credential, browser-profile, and secret directories.
Private document contents or metadata could become part of local search indexes if you include those files.
Creating indexes for arbitrary file types may produce reusable search data derived from local content, including sensitive content if the user selects such paths.
Universal Smart Indexing System: Supports ALL file types ... File Indexing: Creates search indexes for specified files/directories
Index only narrow project folders, exclude secrets and private records, and review where generated indexes/caches are stored and how to delete them.
Installation may fetch the latest compatible dependency version, which can change over time.
The install script installs a Python dependency from the package ecosystem; this is normal for the tool, but the dependency in requirements.txt is specified as a lower-bound version rather than a fully pinned hash.
pip3 install -r requirements.txt --quiet
Install in a virtual environment and consider pinning or reviewing dependency versions before use in sensitive environments.
Overconfident safety wording could make users less careful when selecting files to process.
The artifacts make strong safety and prior-review claims. These are not malicious by themselves, but users should not treat them as a substitute for their own review and cautious scoping.
All ClawHub Security Review Issues Fully Resolved ... Production Ready: Safe, transparent, and fully verified for sensitive data environments
Treat the security claims as project statements, not guarantees; still use least-privilege paths and inspect behavior before processing sensitive data.