Back to plugin

Security audit

JEP Guard for ClawHub

Security checks across malware telemetry and agentic risk

Overview

The skill is internally coherent: it is a browser extension plus a local daemon that implements the described JEP Guard features and stores audit events locally — nothing in the files indicates hidden remote exfiltration, but the package does create and persist local state and event logs that may contain sensitive content.

This package appears to do what it says: a browser extension plus a local daemon that records causal events to local files. Before installing: 1) Verify you trust the source (the package will run a local Node daemon and write files to ~/.jep-data). 2) Understand the pairing behavior: the extension/daemon establish a persistent token and the daemon keeps a 60s pairing window on startup — start the daemon only when you control the machine and have the extension UI open. 3) Events.jsonl/state.json are stored in plain text and may include nonces or parts of AI session payloads — review and avoid sharing. 4) Note the documentation inconsistency about storage (README vs SKILL.md); the code stores token in chrome.storage.local and the daemon in ~/.jep-data. 5) If you want tighter containment, run the daemon under a dedicated user or isolated environment. If you do not trust the publisher or do not want local persistent logs, do not install.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.