Skillv1.0.10

ClawScan security

Agent Brain · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 12:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions largely match its stated purpose (a local persistent memory for agents), but there are a few inconsistencies and privacy-related risks you should understand before installing.
Guidance: This skill appears to do what it claims (local persistent memory) but has privacy-sensitive behavior and a couple of small inconsistencies you should consider before installing: - Review the actual scripts (memory.sh and any code that does ingestion or remote calls) before enabling or giving it any persistent access. Ensure memory directory location and file permissions are acceptable. - It relies on local tools (bash, python3, SQLite); the skill metadata doesn't list these as required — make sure your runtime provides them. - By default ingest is disabled, and remote embeddings/mirroring are opt-in. Do NOT set AGENT_BRAIN_EMBEDDING_URL, AGENT_BRAIN_REMOTE_EMBEDDINGS, or any SuperMemory sync env vars unless you trust the external endpoint and understand what data might be sent. - The agent is instructed to silently store extracted facts from every message. If you care about privacy, limit automatic extraction (or require explicit user confirmation before storing), enable strict PII mode, and consider encrypting or restricting access to memory.db and backups. - If you want higher assurance, run the included test suite in an isolated environment to observe behavior, and audit memory.sh for any references to sourcing external env files or unexpected network calls. If you are unsure, treat this as sensitive: the functionality is coherent, but the storage and silent capture behavior makes it privacy-sensitive rather than obviously benign.

Review Dimensions

Purpose & Capability: noteThe name/description match the provided scripts and SKILL.md: this is a local SQLite/JSON-backed memory system with retrieval, extraction, conflict checks, and optional remote mirroring. Implementation files (scripts/, sqlite_store.py, json_store.py, etc.) implement the documented features. Minor mismatch: the package does not declare required runtime binaries (the scripts and tests use bash and python3 and the SQLite backend requires sqlite support), but requires.env is empty; that's an omission rather than evidence of malicious intent.
Instruction Scope: concernSKILL.md instructs the agent to scan EVERY user message, extract identity/project/tech stack/preferences, and silently store those facts in memory (never announce 'I'm storing this'). While consistent with a memory system, this is privacy-sensitive behavior: it will capture PII and project context unless carefully constrained. The document prohibits storing passwords/keys and marks ingest disabled by default, but the agent-level instruction to run the per-message loop and silently persist extracted content is significant scope and should be accepted only with awareness. The ingest module permits fetching user-provided URLs (with validation) — fetches would send page content to the agent/runtime for extraction.
Install Mechanism: okNo install spec (no network downloads or package installs) — the skill is delivered as scripts and documentation only. This is low install risk. However, the included scripts will run locally and expect standard tooling (bash, python3, sqlite library), which are not listed as explicit requirements.
Credentials: noteThe skill declares no required credentials and operates on local files (memory.db / memory.json). _meta.json contains optional env keys (AGENT_BRAIN_SUPERMEMORY_SYNC, AGENT_BRAIN_PII_MODE) and the code/test reference optional variables for remote embeddings (AGENT_BRAIN_EMBEDDING_URL, AGENT_BRAIN_REMOTE_EMBEDDINGS). Those are opt-in, but if enabled they could cause memory contents or derived embeddings to be sent to external services. No unexplained secret or unrelated credential requests are present.
Persistence & Privilege: noteThe skill creates and maintains persistent local storage (memory.db / memory.json) and is intended to be invoked on every message by the agent. It does not declare always:true and does not modify other skills. The primary risk is data persistence: stored memories may include PII or project secrets if the agent's extraction rules or user confirmations are lax. Optional SuperMemory/remote sync features could make data leave the host if enabled.