ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Engram — Knowledge Graphs for AI Agents

v0.1.8

Build, query, and maintain structured knowledge graphs. Use when you need to remember relationships between code components, services, people, or any concept...

0· 63·0 current·0 all-time
by@morpheis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the SKILL.md: the skill is a local CLI for building/querying persistent knowledge graphs (SQLite DB, types/relations, git overlays, repo scaffolding). The commands and features described are coherent for a knowledge-graph tool.
Instruction Scope
Instructions tell the agent/user to install and run an engram CLI, read/write a DB at ~/.config/engram/models.db (or ENGRAM_DB_PATH), perform git comparisons, and scaffold repos (running scripts under a repo). These actions are within the tool's purpose but include filesystem writes, git operations, and running repo-provided scaffold scripts — all expected but potentially risky if run against untrusted repos.
Install Mechanism
No formal install spec is bundled; SKILL.md instructs npm install -g @clawdactual/engram. Installing a global npm package will fetch and execute third-party code (including possible postinstall scripts). Using npm is normal, but it is an external network install and should be audited before running.
Credentials
The skill declares no required environment variables and only documents an optional ENGRAM_DB_PATH override. It does not request unrelated credentials. Git integration may implicitly use local git credentials/SSH when interacting with remotes, but that is consistent with its stated git-related features.
Persistence & Privilege
always is false and there are no special platform privileges. The skill stores persistent data in a local DB (intended for the tool) which gives it cross-session persistence — this aligns with the described purpose and is expected.
Assessment
This skill is internally consistent with a CLI-based knowledge-graph tool, but it requires installing a third‑party npm package and will write a local DB and run repo scaffolding. Before installing: 1) inspect the npm package (source repo, package.json, postinstall scripts) and prefer installing in a controlled environment (container or VM) rather than system-wide; 2) consider installing locally (not -g) or using a lockfile and auditing dependencies; 3) back up or isolate any existing ~/.config/engram/models.db and set ENGRAM_DB_PATH to a safe path if desired; 4) be cautious running scaffold scripts from untrusted repositories (they can execute arbitrary code); and 5) verify the package owner and repository on npm/GitHub where possible. These steps reduce risk while allowing you to use the tool as described.

Like a lobster shell, security has layers — review code before you run it.

latestvk973dtkhbfz0m08dvjz4jzrerh841bk1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments