ClawHub

Claw Store 1.3.3

Security checks across malware telemetry and agentic risk

Overview

Claw Store matches its encrypted memory purpose, but it needs review because first use can run npm dependency installation while the skill handles long-lived wallet and encryption secrets.

Install only if you trust the publisher, the Railway API host, Jackal providers, and the npm dependency chain. Prefer running npm install yourself in a clean environment before use, avoid unrelated secrets in the process environment or nearby .env files, keep wallet/key command output private, and review what the agent saves because memories persist across sessions even though content is encrypted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not _NODE_MODULES.exists():
        print("[jackal-memory] Installing Jackal dependencies (first run — takes ~30s)...",
              file=sys.stderr)
        r = subprocess.run(
            ["npm", "install", "--prefix", str(_SKILL_DIR)],
            capture_output=True, text=True,
        )
Confidence
83% confidence
Finding
r = subprocess.run( ["npm", "install", "--prefix", str(_SKILL_DIR)], capture_output=True, text=True, )

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Installing dependencies and executing npm/node from a memory client is a meaningful attack-surface increase because it allows arbitrary third-party package code to run on first use. In this skill context, users expect storage functionality, not dynamic package execution, so the hidden supply-chain and runtime execution behavior is more dangerous than in a normal developer build pipeline.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
walletgen prints the wallet mnemonic directly to stdout, which can leak to terminal scrollback, shell history wrappers, logs, agent transcripts, or orchestration telemetry. Because the mnemonic controls the user's storage wallet, disclosure can enable account takeover or irreversible loss of stored data control.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest stores plaintext-derived metadata locally, including user-provided keys, update timestamps, and plaintext byte length, which can reveal sensitive memory topics and usage patterns even though content is encrypted. This undermines the privacy expectations of a memory vault and may leak information to anyone with local file access or backup visibility.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code exports the wallet mnemonic into the child process environment, making a highly sensitive secret available to the Node subprocess and potentially to crash dumps, debug output, process inspection on some systems, or malicious package code. Since the same skill also performs npm installation and executes external Node code, this secret-passing pattern is especially risky in context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal