Back to skill
Skillv3.0.0
ClawScan security
Novyx Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 2:26 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, commands, and required NOVYX_API_KEY align with a memory service that auto-saves and auto-recalls conversation turns — functionality is coherent but you must trust the external service with your chat data.
- Guidance
- This skill will automatically send user messages and agent responses to an external Novyx API and persist them (auto-save/auto-recall). That is expected for a memory skill but can leak secrets or PII. Before installing: 1) Confirm you trust https://novyxlabs.com and the default API host (index.js defaults to https://novyx-ram-api.fly.dev); 2) Use a dedicated/test API key (not a high-privilege account) if you want to try it; 3) Consider disabling autoSave/autoRecall in configuration if you need manual control; 4) Note a minor doc mismatch: NOVYX_API_URL is supported by the code but not listed in SKILL.md metadata — if you prefer self-hosting, set NOVYX_API_URL to your endpoint; 5) Running the provided test (npm test) will create/delete memories on the configured account, so run tests with a disposable key. If you need a deeper assessment, provide network logs or confirm the official API host and privacy/security docs for Novyx.
Review Dimensions
- Purpose & Capability
- okName/description (persistent memory, rollback, audit, knowledge graph) match the implemented commands and API calls. The single declared credential (NOVYX_API_KEY) is appropriate for a hosted memory service.
- Instruction Scope
- noteSKILL.md and index.js instruct the agent to auto-recall relevant memories before responses and auto-save user messages and agent responses (with some length filters). That behavior is within the memory-skill purpose, but it means chat content (including any secrets or PII users type) will be sent to the Novyx API.
- Install Mechanism
- okNo external download/install URL is used; package is a normal Node package (axios, dotenv). README suggests cloning and npm install or using ClawHub. No archive downloads or obscure hosts are used by the installer.
- Credentials
- noteOnly NOVYX_API_KEY is required (declared as primary). The code also optionally reads NOVYX_API_URL (not declared in SKILL.md metadata) — minor documentation mismatch. Requiring a single API key is proportional, but the key grants the service the ability to store and read all auto-saved conversation content.
- Persistence & Privilege
- okalways is false and the skill does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed (default) which is expected for a memory skill — combined with auto-save/auto-recall this increases the need to trust the external service but is not itself incoherent.