Back to skill

Security audit

ShieldCortex

Security checks across malware telemetry and agentic risk

Overview

ShieldCortex is a powerful local memory and security integration, but its broad hooks, storage, scans, and optional cloud features are mostly disclosed and purpose-aligned.

Install only if you want a persistent local memory/security layer that can read agent transcripts, scan config and .env files, intercept memory writes, and keep local audit records. Keep cloud sync off unless you are comfortable sending selected memory or metadata to ShieldCortex Cloud, and review or disable auto-memory/proactive recall for sensitive projects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (21)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The plugin registers a before_tool_call hook that can actively block tool invocations based on interceptor output, which goes beyond passive scanning and memory functionality described in the skill metadata. This creates a security-relevant mismatch between declared behavior and actual authority, increasing the risk of unexpected denial, policy bypass assumptions, or hidden enforcement in environments that only approved passive monitoring.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code comments claim that no raw LLM input leaves the plugin, but the full audit entry object—including a preview derived from user input—is passed to cloudSync. Even if downstream code is intended to strip content, this file still transmits sensitive material across a trust boundary, so logging, future code changes, or alternate implementations could leak user prompts or secrets.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The hook defines many broad, natural-language trigger phrases such as 'remember this', 'don't forget', 'important:', and 'going with' that can cause immediate persistence of following content into long-term memory. Because the feature is attached to ordinary conversation, an attacker or even routine dialogue could unintentionally or manipulatively store sensitive, misleading, or prompt-injected content, increasing privacy and poisoning risk despite the described firewall.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that auto-memory extraction is enabled by default and that session transcripts are read at session end to extract and persist 'decisions, bug fixes, learnings, architecture changes, and preferences.' This creates a real privacy and data-retention risk because users may not realize ordinary session content is being analyzed and stored persistently in ~/.shieldcortex/memories.db, potentially capturing sensitive project data or personal information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Proactive recall sends slices of every qualifying user message to an external memory service via `callCortex("recall")` without a user-facing disclosure or per-message consent at the transmission point. Even though the query is truncated, sensitive prompts, credentials, or proprietary text can still be transmitted off the immediate execution path and used to retrieve related memories.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The session extraction path persists derived assistant-session content through external `remember` calls without explicit warning at the persistence point. In a long-lived agent environment, automatic cross-session storage can retain sensitive outputs, internal reasoning fragments, or confidential project data beyond the user's immediate expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Keyword-triggered saves transmit user-provided content to persistent memory based on natural-language phrases like "remember this" or "don't forget" without advance disclosure beyond the trigger itself. A user may include sensitive values in such text, and an attacker influencing the conversation could induce durable storage of confidential material.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The interceptor writes `preview: fullContent.slice(0, 200)` to a JSONL file under the user's home directory for every intercepted memory tool call. Because this content may include prompts, secrets, personal data, or other sensitive memory payloads, persisting it to disk creates an unintended local data exposure surface, especially since this file shows no consent, redaction, encryption, or retention controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly advertises realtime defence scanning on LLM input, memory extraction on LLM output, and optional cloud threat forwarding, but it does not surface an explicit privacy warning or consent requirement for collection, retention, or external transmission of potentially sensitive prompts, outputs, and tool-call data. In a security product that hooks llm_input, llm_output, before_tool_call, and session_end, this omission is materially risky because users may enable behavior that captures secrets, proprietary data, or personal information without understanding the data-handling consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The UI help for cloudApiKey says it is used for realtime threat forwarding, but it does not warn that forwarded content may include model prompts, outputs, memory candidates, or other sensitive system data observed by the scanner. Because this plugin is positioned as a defensive interceptor with broad visibility into agent activity, understated disclosure increases the chance of unintentional external data exposure.

Ssd 3

Medium
Confidence
89% confidence
Finding
Natural-language triggers create a persistence channel where ordinary conversational text can cause durable storage and later resurfacing. In agent settings, prompt-injected or socially engineered phrases can steer the system into remembering attacker-chosen content, including poisoned instructions or sensitive snippets, which may influence future sessions.

Ssd 3

Medium
Confidence
90% confidence
Finding
Proactive recall on nearly every user message increases the chance that previously stored sensitive or attacker-poisoned memory is resurfaced into the active context. That enlarges the semantic leak surface and can reintroduce stale, malicious, or cross-project data into conversations where it is not appropriate.

Ssd 3

High
Confidence
96% confidence
Finding
The plugin persistently stores assistant outputs into global memory using broad regex heuristics like 'learned', 'should always', or 'important', without strong sensitivity filtering, user consent, or narrow scoping. In an agent-memory product, this is especially dangerous because prompt injection, incorrect model statements, secrets echoed by the model, or poisoned guidance can be retained globally and later influence future sessions or agents.

Agent Config Directory Access

High
Category
Agent Snooping
Content
- $CWD/.claude/, $CWD/.cursor/ (project-level configs)
    - $CWD/.cursorrules, $CWD/.windsurfrules, $CWD/.clinerules
    - $CWD/CLAUDE.md, $CWD/copilot-instructions.md
    - $CWD/.aider.conf.yml, $CWD/.continue/config.json
    - $CWD/.env (env-scanner checks for leaked secrets — reads, never writes)
  paths_write:
    - ~/.shieldcortex/ (memory DB, config, cortex log, licence, audit cache)
Confidence
90% confidence
Finding
/.continue/config.json

Agent Config Directory Access

High
Category
Agent Snooping
Content
- **Writes are contained.** All data goes to `~/.shieldcortex/`. MCP config edits (`setup`, `copilot`, `codex` commands) modify specific JSON files and confirm before writing.
- **Network is off by default.** No outbound connections unless Cloud sync is explicitly enabled by the user. The dashboard and worker bind to localhost only.
- **Bundled source code.** The OpenClaw plugin and cortex-memory handler are shipped in the package for inspection before use.
- **Lifecycle event handlers.** ShieldCortex registers lifecycle handlers that auto-extract important context from conversations. These are registered in `~/.claude/settings.json` during setup and can be removed at any time. They run locally, never phone home.
- **Proactive recall.** The UserPromptSubmit handler queries local memory on each prompt (<100ms) and surfaces relevant context. Fully local, configurable: `shieldcortex config --proactive-recall false`.

## Data handling, privacy & consent
Confidence
92% confidence
Finding
~/.claude/settings.json

MCP Config Access

High
Category
Agent Snooping
Content
paths_write:
    - ~/.shieldcortex/ (memory DB, config, cortex log, licence, audit cache)
    - ~/.openclaw/extensions/shieldcortex-realtime/ (OpenClaw plugin via the wrapper install only; native `openclaw plugins install` uses OpenClaw's managed npm tree instead)
    - ~/.claude/mcp.json, ~/.cursor/mcp.json (MCP server registration, when user runs setup)
  network_endpoints:
    - https://api.shieldcortex.ai (Cloud sync, licence validation — only when Cloud is enabled by user)
    - http://localhost:3001 (local dashboard server — loopback only)
Confidence
94% confidence
Finding
.claude/mcp.json

Context Leakage

High
Category
Data Exfiltration
Content
## Data handling, privacy & consent

ShieldCortex is **local-first**: memory, scanning, and audit run entirely on your machine — no account, no network, no telemetry by default. Because the tool can auto-capture conversation content, here is exactly what it reads, stores, and (only if you opt in) transmits.

- **What it reads.** With the lifecycle handlers enabled (opt-in at setup), ShieldCortex reads your agent **session transcripts — both your prompts and the assistant's replies** — to auto-extract memorable context. PreCompact (before context compaction) reads the recent transcript; the SessionEnd and Stop handlers are **off by default**; the OpenClaw integration extracts from assistant output and explicit keyword triggers. SessionStart does **not** read transcripts (it only loads existing local memory and scans project rule files).
- **What it stores, and for how long.** Saved and auto-extracted memories are written to a **local SQLite database at `~/.shieldcortex/memories.db`** — title and content verbatim — and **persist across sessions** until you remove them (decay/consolidation prune low-value entries over time). Nothing is stored remotely unless you enable Cloud sync. Delete a memory with the `forget` tool, or remove the database to wipe everything.
Confidence
95% confidence
Finding
capture conversation

Credential Access

High
Category
Privilege Escalation
Content
- $CWD/.cursorrules, $CWD/.windsurfrules, $CWD/.clinerules
    - $CWD/CLAUDE.md, $CWD/copilot-instructions.md
    - $CWD/.aider.conf.yml, $CWD/.continue/config.json
    - $CWD/.env (env-scanner checks for leaked secrets — reads, never writes)
  paths_write:
    - ~/.shieldcortex/ (memory DB, config, cortex log, licence, audit cache)
    - ~/.openclaw/extensions/shieldcortex-realtime/ (OpenClaw plugin via the wrapper install only; native `openclaw plugins install` uses OpenClaw's managed npm tree instead)
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
### `audit` checks:
- **Memory files** — ~/.claude/projects/, ~/.cursor/memories/, ~/.windsurf/memories/
- **Environment** — .env files for leaked credentials (read-only check, never writes)
- **MCP configs** — ~/.claude/mcp.json, ~/.openclaw/mcp.json, ~/.cursor/mcp.json, project-level equivalents
- **Rules files** — CLAUDE.md, .cursorrules, copilot-instructions.md for injection patterns
Confidence
89% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
detects your environment and guides MCP server registration. All data stays
    local in ~/.shieldcortex/. No account or API key needed for local use.
permissions:
  filesystem: readwrite
  network: optional
  credentials: optional
  justification: >
Confidence
88% confidence
Finding
write network: optional credentials: optional justification: > Filesystem read: scans agent instruction files for prompt injection threats (same files the agent already reads). Filesyste

Session Persistence

Medium
Category
Rogue Agent
Content
## Defence Audit Guarantees

Every byte that lands in `memories` from the auto-extract path passes the
6-layer defence pipeline first. The hook write path is no longer the
bypass it once was:

- **ALLOW** → row inserted into `memories`; a corresponding row appears in
Confidence
82% confidence
Finding
write path is no longer the bypass it once was: - **ALLOW** → row inserted into `memories`; a corresponding row appears in `defence_audit` with `source_type = 'hook'` and the hook's identifier (`

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bundled/cortex-memory-hook/runtime.mjs:162