Skillv1.1.0

ClawScan security

nix-memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 16, 2026, 8:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior largely matches its stated purpose (local file hashing, drift detection, continuity scoring), but it contains an instruction to fetch a remote installer from a non-standard domain and writes discovery files (.well-known/agent.json) and many local state files — these practices warrant caution before installation.
Guidance: This skill appears to do what it claims (local hashing, drift detection, scoring), but review and take precautions before installing: - Do NOT pipe unfamiliar remote scripts into bash. The quickstart instructions mention 'https://nixus.pro/memory/install.sh' — treat that domain as untrusted until you inspect its content. Prefer running the local provided setup.sh manually. - Expect the skill to read and hash many workspace Markdown files, create a .nix-memory directory, write session logs, diffs, a manifest, and an agent.json in the workspace and .well-known. If your workspace contains sensitive files or is served by a webserver, review which files will be tracked and consider a sandbox or backup first. - The skill does not request credentials or perform network exfiltration in the bundled scripts, but it can expose metadata via agent.json/.well-known/agent.json — remove or sanitize those if you do not want discovery. - If you plan to enable autonomous invocation, be mindful that the agent could run these scripts and modify files automatically; run them manually once to verify behavior before allowing autonomous runs. Actions to reduce risk: inspect the included scripts line-by-line (they're plain bash here), run setup.sh in a temporary or read-only copy of your workspace, search for any unexpected network calls, and avoid running the remote quickstart installer without auditing it first.

Review Dimensions

Purpose & Capability: okName/description (identity hashing, memory integrity, drift, scoring) align with the scripts included: setup, identity hashing, memory verification, drift analysis, watch, and continuity scoring. The skill only requires local filesystem access and optional NIX_MEMORY_WORKSPACE; nothing requested appears unrelated to the described purpose.
Instruction Scope: noteRuntime instructions are concrete (run setup.sh, watch.sh, continuity-score.sh). The scripts read and hash many workspace files (*.md), create and write state under ${WORKSPACE}/.nix-memory, append/modify HEARTBEAT.md, create memory/ and agent.json/.well-known/agent.json, and log session data. This is coherent with purpose but means the skill will enumerate and persist copies/hashes of workspace files and may expose agent metadata if the workspace is served — review which files it will track before running.
Install Mechanism: concernThere is no formal install spec, which is low-risk, but quickstart.sh and comments explicitly recommend running a remote install via 'curl -sL https://nixus.pro/memory/install.sh | bash'. That points to a non-standard domain (nixus.pro) and suggests running code fetched remotely without verification. While the bundled scripts themselves do not perform network calls, the presence of that suggestion increases risk and should be treated cautiously.
Credentials: okThe skill requests no credentials and only an optional NIX_MEMORY_WORKSPACE override. It does not access unrelated environment secrets. However, it will write persistent local files (.nix-memory, .memory-guard if present, agent.json, .well-known/agent.json) which could leak metadata if the workspace is publicly accessible — consider that a privacy/leakage concern rather than a credential mismatch.
Persistence & Privilege: noteThe skill persists state under the user's workspace (.nix-memory, sessions, drift diffs), creates agent.json and .well-known/agent.json, and can append HEARTBEAT.md. It does not set always:true and does not request elevated system privileges. Persisting files in the workspace is expected for this function, but users should be aware these files remain on disk and may be served or backed up by other systems.