Skillv1.0.1

ClawScan security

smart-memory-manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 3:29 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior matches a memory manager, but it can read/write arbitrary filesystem paths and imports remote code at runtime — both of which enable data-exfiltration and supply-chain risks that the user should consider before installing.
Guidance: This skill appears functionally consistent with a memory manager, but two practical risks deserve attention: (1) It will fetch third-party modules from deno.land at runtime — review and pin/ vendor those dependencies if you want to avoid implicit network-loaded code. (2) The load/save API accepts arbitrary file paths and uses Deno.readTextFile/Deno.writeTextFile; if the agent runtime has filesystem permissions, an attacker or misconfigured agent could read sensitive local files (for example dotfiles, credentials) and return their contents via search/list/summarize. Before installing: ensure your agent runtime is constrained (e.g., run in a sandbox or deny filesystem access), only use safe persistPath locations you control, inspect or vendor the imported deno.land modules, and avoid granting this skill broad autonomous privileges. If you need help limiting its filesystem capabilities or auditing the remote imports, consider code-reviewing and running the skill in an isolated environment first.

Review Dimensions

Purpose & Capability: okName/description and the code align: it implements short/long/important memory layers, search, summarization, and save/load persistence. File I/O and simple semantic/keyword search are reasonable capabilities for a memory manager.
Instruction Scope: concernSKILL.md and the API expose load/save with an unrestricted persistPath parameter. The implementation uses Deno.readTextFile to load any path and returns memory contents via list/search/summarize — this enables reading arbitrary files and returning their contents, which is outside a narrow 'memory manager' scope unless the user explicitly chooses safe paths.
Install Mechanism: noteThere is no install spec, but the code imports third-party modules directly from deno.land (zod and std/encoding). That means runtime will fetch remote code from the network; this is normal for Deno but is a supply-chain risk compared with vendored or packaged dependencies.
Credentials: concernThe skill requests no env vars, which is proportional, but it performs arbitrary filesystem read/write (Deno.readTextFile / Deno.writeTextFile) with user-supplied paths. If the agent runs with filesystem permissions, the skill can read sensitive local files and then expose them in outputs — a high-risk capability relative to typical memory persistence needs unless paths are restricted.
Persistence & Privilege: noteThe skill is not always-enabled and does not modify other skills. However, because it can persist to arbitrary disk paths and load arbitrary files, installing it in an environment with broad file-system permissions grants it effective persistent access to local data. Consider limiting runtime permissions or paths.