Skillv4.12.11

ClawScan security

ShieldCortex · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 6:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match a memory+scanner plugin, but there are several risky or surprising behaviours (on-demand npx installs, reading project .env files, and modifying other agent config files) that deserve careful review before installation.
Guidance: ShieldCortex appears to implement the memory+scan features it claims, but it requires broad read access to agent/project config files (including $CWD/.env) and can modify other agents' config to register lifecycle hooks. It also falls back to running 'npx -y shieldcortex' which will fetch and run code from npm on first use. Before installing: 1) Review the bundled runtime files yourself (they are included) and confirm you trust the upstream package on npm/github; 2) Do not enable cloud sync or supply a cloud API key unless you trust the service and its team; 3) If you want to avoid network/supply-chain risk, install the shieldcortex binary from a vetted source ahead of time and set binaryPath/SHIELDCORTEX_ROOT so the plugin uses a known local binary; 4) Be cautious about auto-enable options that modify ~/.claude or other agent configs—backup those files first and require explicit consent to change them; 5) If you store secrets in project .env files, consider removing them or restricting access before allowing this skill to scan them. If you want a lower-risk posture, prefer a version that only uses the bundled runtime without on-demand npx installs and that does not auto-write other agents' settings.

Review Dimensions

Purpose & Capability: noteName/description claim persistent memory + security scanning; the bundled plugin and hook implement exactly that: memory extraction, semantic storage, and realtime scanning. The declared filesystem paths (agent config dirs and project files) and optional cloud sync align with the stated purpose. The only surprising capabilities are explicit read access to $CWD/.env and the claim that the skill will modify MCP/agent settings (e.g., ~/.claude/settings.json and ~/.claude/mcp.json) during setup — these are explainable for a memory/security integrator but are higher-privilege than a simple formatter or UI plugin.
Instruction Scope: concernSKILL.md and bundled code instruct the agent to read many agent/project config locations and to scan .env for leaked secrets. Those file reads are declared, but reading dot-env files can expose secrets unrelated to the plugin's core function. The skill also registers lifecycle handlers in other agents' settings (e.g., ~/.claude/settings.json) which changes agent behavior system-wide. The runtime code dynamically locates or falls back to running shieldcortex via npx, meaning network fetch/execution happens on first use unless a local binary is installed.
Install Mechanism: concernThere is no formal install spec; the runtime falls back to executing 'npx -y shieldcortex' (and the HOOK.md explicitly says 'installs automatically on first use via npx -y shieldcortex'). That causes on-demand downloads from npm at runtime, which is higher risk than only using bundled code. The package does bundle runtime code locally, but the code path still prefers global installs or npx which can pull remote code. This dynamic-install behaviour should be considered a notable supply-chain risk unless you control or vet the registry and package release process.
Credentials: noteThe skill declares no required environment variables and only optional config vars (SHIELDCORTEX_CONFIG_DIR, SHIELDCORTEX_API_KEY, etc.). That is proportional. However the code explicitly reads $CWD/.env and other project config files to scan for leaked secrets; while justified by the 'env-scanner' purpose, this gives the skill access to potentially sensitive credentials stored in project env files. The plugin also allows a cloudApiKey option for optional cloud sync — that is reasonable but also increases risk if enabled.
Persistence & Privilege: concernThe skill is not force-installed (always:false) and allows autonomous invocation (default). It writes to its own config dir (~/.shieldcortex/) which is expected, but it also may modify MCP/agent config files (e.g., ~/.claude/mcp.json and ~/.claude/settings.json) to register lifecycle hooks. Modifying other agents' settings is powerful and can change agent behavior system-wide; this is a legitimate integration step but is a persistence/privilege escalation vector that users should explicitly approve and monitor.