Security audit
JEP Guard for ClawHub
Security checks across malware telemetry and agentic risk
Overview
The skill is internally coherent: it is a browser extension plus a local daemon that implements the described JEP Guard features and stores audit events locally — nothing in the files indicates hidden remote exfiltration, but the package does create and persist local state and event logs that may contain sensitive content.
This package appears to do what it says: a browser extension plus a local daemon that records causal events to local files. Before installing: 1) Verify you trust the source (the package will run a local Node daemon and write files to ~/.jep-data). 2) Understand the pairing behavior: the extension/daemon establish a persistent token and the daemon keeps a 60s pairing window on startup — start the daemon only when you control the machine and have the extension UI open. 3) Events.jsonl/state.json are stored in plain text and may include nonces or parts of AI session payloads — review and avoid sharing. 4) Note the documentation inconsistency about storage (README vs SKILL.md); the code stores token in chrome.storage.local and the daemon in ~/.jep-data. 5) If you want tighter containment, run the daemon under a dedicated user or isolated environment. If you do not trust the publisher or do not want local persistent logs, do not install.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
