Security audit
ExperienceEngine
Security checks across malware telemetry and agentic risk
Overview
The skill has a legitimate coding-agent memory purpose, but this release needs review because its packaged runtime is missing and one hook path downloads and executes a different npm package version at runtime.
Review this before installing. The product concept is coherent, but this release’s runtime packaging is not: the reviewed tarball does not include the declared executable files, and the Claude plugin path can fetch code from npm during startup. Install only if you are comfortable with coding-agent hooks observing prompts/tool activity and with that external runtime behavior; otherwise wait for a release that bundles the expected runtime and pins the same reviewed version.
VirusTotal
60/60 vendors flagged this plugin as clean.
Static analysis
No suspicious patterns detected.
