ClawHub

Cognitive Loop

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill is coherent and safety-conscious, but users should review the external package it recommends and understand that it stores reusable task memory.

Before installing, review the linked npm/GitHub package yourself, test in a sandbox, keep user approval for code changes or deployments, and monitor what gets saved under memory/.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If used with file-editing, deployment, or command tools, the agent may attempt repeated fixes or tests as part of its workflow.

Why it was flagged

The skill describes autonomous retry, recovery, and repair behavior. This fits the stated cognitive-loop purpose, but could affect code or deployments if the user grants tools.

Skill content
执行监控器 ... 自动重试、降级、异常恢复 ... 测试器 ... 自动修复
Recommendation

Keep approval gates for file changes, deployments, and other high-impact actions, especially during first use.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing the external package would run code outside this scan’s reviewed files.

Why it was flagged

The skill points users to an external npm package and GitHub repository that are not included in the reviewed artifact set. The instructions do tell users to inspect the source and package integrity.

Skill content
npm install cognitive-agent ... git clone https://github.com/World-peace001/cognitive-agent.git
Recommendation

Inspect the repository/package, pin trusted versions, and test in a sandbox before installing or invoking the package.

#
ASI06: Memory and Context Poisoning
Low
What this means

Information from one task may be saved and influence later tasks.

Why it was flagged

The skill stores reusable execution patterns, lessons, successes, and knowledge. This is disclosed and path-scoped, but persistent memory can retain sensitive task details or be reused in future tasks.

Skill content
经验自动保存到 `memory/` 目录 ... patterns/ ... lessons/ ... successes/ ... knowledge/
Recommendation

Avoid placing secrets or sensitive data in stored memory, and periodically review or clear the memory/ directory.