ClawHub

ShieldCortex

Security checks across malware telemetry and agentic risk

Overview

ShieldCortex is mostly coherent as a memory and security tool, but it deserves review because it can persist conversation content, read secret-bearing files, run npm-backed commands at runtime, and cloud-forward prompt excerpts when configured.

Install only if you intentionally want a persistent memory/security layer that can inspect agent configs, transcripts, and possible secrets. Use a pinned local ShieldCortex binary instead of relying on the `npx` fallback, keep cloud sync/API keys disabled unless you need them, review and prune `~/.shieldcortex/`, and disable auto-memory for work involving credentials, client data, regulated data, or sensitive prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains very common phrases such as "this is important," "i learned," "always do," and "going with," which are likely to appear in normal conversation. In a memory-persistence skill, that means routine chat content can be unintentionally extracted and stored, increasing the chance that sensitive or irrelevant information is retained without the user's clear intent.

Missing User Warnings

High
Confidence
93% confidence
Finding
The hook documentation describes reading and capturing session transcripts and saving extracted content to a local database, but it does not prominently warn users that conversation content may be persisted across sessions. Because transcripts can contain credentials, proprietary code, or sensitive operational details, insufficient disclosure materially increases the risk of accidental retention and later exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The runtime spawns external commands via npx/mcporter and may fall back to `npx -y shieldcortex`, which can fetch and execute code from the package ecosystem at runtime. In a security-focused skill, silently invoking package-manager-backed subprocesses is more dangerous because it expands the trust boundary, enables unintended code execution paths, and may expose sensitive tool arguments or agent data to external binaries without explicit user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`scanRealtimeContent` forwards raw text content to the ShieldCortex runtime via `callCortex('scan_tool_response', ...)`, and that path is triggered on LLM inputs without an explicit just-in-time consent or clear disclosure in the hook handler. In a security plugin, user prompts often contain secrets, credentials, proprietary data, or regulated content, so silent transmission to external or auxiliary services creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The plugin automatically extracts assistant outputs and persists them through the external memory runtime when auto-memory is enabled, without any per-item warning, approval, or sensitivity filtering. Assistant responses can echo user secrets or contain sensitive operational details, so silent persistence expands the exposure window and can create long-lived records of data users did not intend to store.

Ssd 3

Medium
Confidence
91% confidence
Finding
The hook explicitly captures ending session transcripts, pattern-matches their contents, and persists selected information, including user-signaled text. Even if the feature is intended as memory support, this creates a data retention channel where secrets, confidential prompts, or sensitive project details can be stored and later resurfaced.

Ssd 3

Medium
Confidence
89% confidence
Finding
Automatically retrieving prior memories and injecting them into bootstrap context can reintroduce sensitive data from earlier sessions into new conversations where it may no longer be appropriate. This increases the blast radius of any previously stored secret or confidential detail, because the data can be exposed repeatedly and influence future agent behavior.

Ssd 3

Medium
Confidence
89% confidence
Finding
The configuration and extraction logic enable broad automatic memory capture from LLM outputs, and the extracted `content` stores up to 500 characters of matched text in plain language. Since assistant outputs often summarize or restate user-provided sensitive inputs, this design can persist secrets, personal data, internal architecture, or credentials beyond the original conversation context.

Ssd 3

Medium
Confidence
96% confidence
Finding
When a threat is detected, the plugin uploads metadata plus a `content` excerpt (`text.slice(0, 200)`) to a cloud endpoint using a bearer API key. Security detections are especially likely to involve prompts containing credentials, tokens, malware samples, internal instructions, or other sensitive text, so forwarding excerpts to a remote service creates a direct natural-language exfiltration channel.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal