Skillv3.0.0

ClawScan security

Memphis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 10:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match a local 'AI brain' CLI, but there are mismatches and omissions (undeclared env vars, network/share-sync features despite 'offline-first' claims, and instructions that read/share local data) that warrant caution before installing or running it.
Guidance: This package is plausible for an 'AI brain' CLI, but several things don't add up and you should verify before installing or running it: - Audit the memphis CLI code (the actual executable installed by clawhub). This SKILL.md is only instructions — the dangerous behavior would be in the CLI implementation. - Confirm default network behavior: is IPFS/share-sync disabled by default? What data is shared, and with whom? Do not run share-sync or any 'share' or 'sync' commands until you understand defaults. - Treat the vault and example commands as potentially sensitive: the docs show using MEMPHIS_VAULT_PASSWORD and storing API keys (openai-key). Ensure you do not add real secrets until you trust the implementation. Ask for details on vault encryption and key derivation. - Review what 'memphis git-analyze --auto-decide' inspects (full repo history? other repos/home files?). That command can read and infer from local git history; run it in a sandbox first. - Because the skill is instruction-only, the direct risk comes from the external memphis binary. Install and test in an isolated environment (VM/container) and inspect network traffic before using on sensitive data. If the publisher can provide (or you can find) the memphis CLI source code and clear documentation of default network/telemetry behavior and vault key management, re-evaluate after reviewing those. If you cannot review the implementation, treat this as higher-risk and run only in isolated environments.

Review Dimensions

Purpose & Capability: noteThe name/description (local-first AI brain with vault, memory chains, git analysis, IPFS share-sync) generally align with the CLI commands shown. However the README/SKILL.md emphasize 'offline-first' and 'privacy-first' while also advertising multi-agent sync via IPFS and 'share-sync' — a direct conflict unless network features are optional and opt-in. The skill declares no required credentials or env vars, yet the docs show using a vault password and storing API keys. These inconsistencies reduce confidence that the declared metadata accurately represents required capabilities.
Instruction Scope: concernSKILL.md instructs running CLI commands that read and write persistent data (journal, vault, backups, logs at ~/.memphis), analyze git history (memphis git-analyze --auto-decide), and sync/share via IPFS. Those actions can access large amounts of local information and (optionally) transmit it to external networks. The docs also include vault use examples (memphis vault add openai-key sk-xxx) and reference env var usage (MEMPHIS_VAULT_PASSWORD). The skill text does not limit or explain default network behavior (what is shared by default), and a truncated section suggests more network features. Instruction scope therefore goes beyond simple local queries and could result in broad data access/transmission.
Install Mechanism: okThis is an instruction-only skill with no install spec or embedded code files, which means the skill itself does not drop code onto the system. That lowers immediate risk from the skill bundle. However the instructions rely on an external CLI (memphis) installed via 'clawhub install memphis' — which is outside this package and needs auditing separately.
Credentials: concernskill.json and registry metadata declare no required env vars or primary credential, but SKILL.md examples reference MEMPHIS_VAULT_PASSWORD and show adding secrets like 'openai-key sk-xxx' to the vault. The skill claims to manage encrypted secrets yet does not declare or explain required env config or how keys are protected. Requesting or handling API keys and vault passwords is proportionate to a vault feature, but the omission from the declared requirements is an incoherence and increases risk (user may unknowingly expose secrets when following examples).
Persistence & Privilege: notealways is false (good). Model invocation is allowed (default). The skill describes persistent storage (vault, chains, backups) and network sync; those are normal for the feature set but increase the blast radius if network sharing is enabled. The package does not try to modify other skills or system-wide agent settings in the provided content.