Notnative
WarnAudited by ClawScan on May 10, 2026.
Overview
Notnative matches its advertised integration purpose, but it requires automatic permanent memory of personal details and exposes broad MCP, WebSocket, and Python capabilities that need careful review.
Install only if you intentionally want NotNative to become a persistent memory and tool hub for the agent. Before use, confirm where the NotNative server runs, prefer trusted local or authenticated wss:// connections, avoid storing highly sensitive facts automatically, and inspect or modify install.sh before letting it write to your shell startup file.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal details may be saved permanently and reused in later conversations even when the user did not explicitly ask for that information to be remembered.
The skill explicitly requires automatic permanent storage of personal and potentially sensitive user facts, but does not define consent, retention, exclusions, or when not to store.
When user shares personal information (name, preferences, allergies, hobbies, work context), IMMEDIATELY store it using `memory_store` tool
Use only if you want persistent memory. Prefer an opt-in memory policy, ask before storing sensitive facts, and verify there is an easy way to review and delete stored memories.
The agent may prioritize memory storage and recall even for tasks where the user did not request or expect persistent context use.
The instructions force recurring tool use and memory lookup as mandatory behavior, rather than limiting the skill to user-requested memory actions.
**ALWAYS follow these rules:** ... **Before Responding** ... ALWAYS search memory first ... **Context Recall**: At the start of each conversation, search memory
Change the workflow to require explicit user direction or clear per-session consent before storing or retrieving persistent memory.
If configured to a wrong or untrusted server, notes, memories, profile data, calendar/task data, and Python requests could be exposed or manipulated.
The skill allows sensitive MCP traffic to go to a remote WebSocket endpoint and explicitly permits insecure ws:// URLs, without documented authentication, identity verification, or data-boundary controls.
Connects via WebSocket to local or remote Notnative instance. ... For remote: wss://your-domain.com (or ws://IP:8788)
Use localhost or a trusted authenticated wss:// endpoint only; avoid ws:// over a network and confirm what data the NotNative server stores or returns.
An agent or user could call mutable or dangerous server tools, such as note updates, calendar/task changes, or code execution, without an artifact-defined approval boundary.
The client includes a raw MCP escape-hatch command that can invoke any tool exposed by the server with arbitrary JSON arguments, bypassing the narrower command wrappers.
case 'call': {
const toolName = args[1];
const toolArgs = args[2] ? JSON.parse(args[2]) : {};
const result = await callTool(toolName, toolArgs);Restrict generic tool calls or require explicit confirmation before any write, delete, calendar/task mutation, or code-execution action.
Entering or copying a malicious WebSocket URL could cause commands to run in future terminal sessions.
The installer writes user-supplied input directly into the shell startup file without escaping or validating it as a URL; a crafted value could become shell code when ~/.bashrc is later sourced.
read -p "Enter your NotNative WebSocket URL ..." WS_URL ... echo "export NOTNATIVE_WS_URL=\"$WS_URL\"" >> "$HOME/.bashrc"
Validate that the URL starts with ws:// or wss:// and contains only URL-safe characters, or write configuration to a non-executable config file instead of ~/.bashrc.
Installing later may fetch a newer dependency version than the one the author tested.
The skill depends on an npm package using a semver range, and the provided manifest does not include a lockfile; this is common for Node tools but leaves dependency resolution to install time.
"dependencies": {
"ws": "^8.14.0"
}Review the package source and prefer a lockfile or pinned dependency version for reproducible installs.