Skillv1.0.3

ClawScan security

Threadline — Persistent Memory and Context Layer for AI Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 30, 2026, 5:32 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, environment requirements, and behavior are coherent with a persistent-memory service for agents, but it legitimately injects system prompts and stores broad user context—so review privacy, trust in the provider, and SDK provenance before using.
Guidance: This skill appears to do what it claims, but it will send user messages and agent responses to an external service that injects system prompts back into your LLM calls. Before installing: (1) Verify you trust threadline.to and review their privacy and data-retention policies; (2) Confirm the official SDK/package name and install from a trusted registry (npm) or the vendor's documented source; (3) Avoid sending highly sensitive PII or secrets into the memory store, or implement client-side redaction/encryption if needed; (4) Limit the API key's permissions where possible and rotate keys regularly; (5) Test with non-sensitive data and verify deletion/retention behavior via their dashboard; (6) Consider self-hosting or an alternative if you require full control over stored context.
Findings: [system-prompt-override] expected: The skill must inject system prompts to provide persistent context, so a 'system-prompt-override' pattern is expected. However, this capability is a sensitive attack surface: if the remote service is compromised or malicious it can influence agent behavior via injected prompts.

Purpose & Capability: okThe skill claims to provide persistent memory and shows exactly how to inject and update context around LLM calls. The single required env var (THREADLINE_API_KEY) and the shown SDK usage align with the stated purpose.
Instruction Scope: noteInstructions explicitly tell agents to call inject() before LLM calls and update() after responses and to avoid logging the enriched system prompt. This is expected for a context-injection service but grants the remote service the ability to alter system prompt content and store broad scopes (including 'emotional_state' and 'general'), which may include sensitive personal or project data.
Install Mechanism: okInstruction-only skill with no install spec or code files reduces on-disk risk. Examples reference 'threadline-sdk' but no install instructions or declared dependencies are provided in the registry metadata—this is not harmful but worth noting for implementers.
Credentials: okOnly THREADLINE_API_KEY is required and is appropriate for a hosted service. No unrelated credentials, system paths, or extra secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request permanent platform-wide privileges. The SDK pattern requires the service to persist user context by design; this is expected behavior.