ClawHub
Back to skill

Security audit

Edithai

Security checks across malware telemetry and agentic risk

Overview

EdithAI is a coherent log-analysis skill, but users should treat logs, reports, API keys, and history as sensitive.

Install only if you trust the external npm package and are allowed to send the relevant log content to DeepSeek. Use a dedicated, quota-limited API key; keep it out of source control; run the tool from a limited directory; redact secrets and personal data from logs; configure command allowlists/blacklists; and clear ~/.edithai/history.json after sensitive analysis.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Low
Confidence
87% confidence
Finding
The quick reference documents a persistent conversation history file (`~/.edithai/history.json`) but does not warn users that prompts, log excerpts, file paths, or other potentially sensitive operational data may be stored locally. In a log-analysis tool, this can expose confidential data to other local users, backups, or forensic collection, especially when analyzing production logs or incident-response artifacts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the tool is AI-powered and requires a DeepSeek API key, but it does not clearly disclose that user-supplied log contents may be sent to a third-party API for processing. Logs often contain sensitive data such as credentials, tokens, internal hostnames, customer information, or security events, so omission of this data-flow warning can lead users to unintentionally exfiltrate confidential information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation explicitly promotes AI-powered log analysis, file operations, and report generation, but it does not clearly warn users that log contents may be transmitted to the DeepSeek API or that outputs/history may be stored locally. Because logs often contain credentials, tokens, internal URLs, stack traces, or personal data, this omission can lead users to expose sensitive information without informed consent.

Session Persistence

Medium
Category
Rogue Agent
Content
edithai -query "find all database connection errors"

# Generate performance report
edithai -query "create performance summary from application logs"
```

### Interactive Mode
Confidence
83% confidence
Finding
create performance summary from application logs" ``` ### Interactive Mode ```bash # Start interactive session edithai -i # Multi-turn conversation about logs > show me memory usage trends > find me

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.