ClawHub

Cortex

Security checks across malware telemetry and agentic risk

Overview

Cortex appears to be a legitimate memory tool, but it needs review because it installs an external binary, can run ongoing sync, modifies shell startup files, and may centralize sensitive data.

Install only if you intentionally want a persistent agent memory database. Prefer a pinned, verified Cortex release; review the upstream binary/source before running setup; start with a small non-sensitive folder; avoid all-provider connector sync until each provider scope is understood; do not enable scheduled sync until you know how to disable it; and back up the Cortex database before using reimport.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and documents shell-capable operations such as installation, import, cleanup, scheduling, and MCP startup, but does not declare any permissions. In an agent ecosystem, undeclared shell capability is dangerous because it weakens user consent and policy enforcement, allowing filesystem and process-affecting actions to be invoked with less scrutiny.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially exceeds the stated purpose: it includes downloading an external binary, modifying shell configuration, and potentially deleting the local database during reimport. That mismatch is security-relevant because users may trust the skill as a harmless local memory helper while it performs installation, persistence, and destructive operations not clearly disclosed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup script edits the user's shell startup file to persistently change PATH, which expands its behavior beyond a one-time local install. While not overtly malicious here, persistent profile modification can surprise users, alter command resolution, and create longer-term trust and security implications if the install directory later contains unexpected executables.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script downloads and executes a binary from GitHub releases without any integrity verification such as pinned checksums, signatures, or provenance checks. This creates a supply-chain risk: if the release asset, repository, network path, or selected version is compromised, the user may install a trojaned executable and immediately run it during version verification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The connector sync/import guidance encourages ingesting data from GitHub, Gmail, Calendar, Drive, Slack, Notion, Discord, and Telegram into local memory without any warning about sensitive data capture, retention, or cross-source aggregation. This increases the risk of accidentally centralizing secrets, personal data, or regulated content in a searchable local store that may later be exposed to agents or other tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented scheduling command installs recurring background synchronization, but the skill text does not clearly warn that it creates ongoing automated imports. Background tasks are riskier than one-shot commands because they can continuously ingest new sensitive data, surprise users, and expand the blast radius of any misconfiguration or compromised connector credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reimport command unconditionally deletes the Cortex SQLite database with `rm -f "$DB"` before rebuilding it, and there is no confirmation prompt, dry-run mode, or backup step. In an agent-facing wrapper, this makes accidental invocation or misuse capable of causing immediate data loss of persistent memory, which is especially relevant given this skill's purpose is long-lived storage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal