Oathe Security Badge

Is bluepointdigital/vector-memory safe?

https://clawhub.ai/bluepointdigital/vector-memory

87
SAFE

This appears to be a legitimate vector memory enhancement skill that provides semantic search capabilities for AI agent memory. While it contains executable code and downloads ML models, the functionality matches the stated purpose with no evidence of malicious behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

MEDIUM Executable JavaScript code with system command execution -20

The skill contains Node.js code that uses execSync to execute system commands. While this appears to be for legitimate memory operations, it represents a potential attack vector if input validation is insufficient.

LOW External ML model download -10

The skill downloads an ~80MB machine learning model (all-MiniLM-L6-v2) from external sources. This is legitimate functionality for vector embeddings but represents external network access.

LOW Install script execution -5

The skill includes an install.sh script that performs system operations including file copying, npm install, and initial sync. The operations appear legitimate but represent code execution during installation.