Lineage Code Mini
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent with its behavioral-adaptation purpose, but users should notice that it stores local interaction/profile data and may install an unpinned npm dependency if its setup script is used.
This looks like a purpose-aligned local profiling skill rather than a malicious one. Before installing, decide whether you want the agent to keep local interaction/profile data and adapt future replies from it, and review the npm package if you plan to run setup.sh.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may remember engagement patterns and style preferences locally and use them to change how it responds in later conversations.
The skill persistently stores and reuses behavioral profile data to influence future responses. This is disclosed and aligned with the skill's purpose, but it creates persistent context that users may want to inspect or clear.
Before each response, check if a user profile exists at `{baseDir}/data/profiles/`. If it does, read it and apply the behavioral hints to your response style.Install only if you want persistent behavioral adaptation; periodically review or delete the profile and interaction-history files if you do not want this data retained.
Your environment could use whatever version of the npm package is current at install time, and the package would be installed globally.
If the setup script is run, it installs an external npm package globally without pinning a version. The dependency is purpose-aligned, but the global unpinned install increases supply-chain exposure.
npm install -g lineage-code-mini
Review the npm package/source before running setup, prefer a pinned version, and consider installing in a controlled or project-local environment.