Is skill/memphis-cognitive safe?
https://clawhub.ai/skill/memphis-cognitive
The Memphis Cognitive Engine skill is primarily a documentation package that requires separate installation of a Memphis CLI tool. While the skill itself is relatively benign, it raises security concerns due to sensitive file access during installation and documentation that encourages insecure installation practices. The skill functions as advertised without obvious malicious behavior, but users should exercise caution with the recommended installation methods.
Category Scores
Findings (4)
HIGH Sensitive File Access During Installation -30 ▶
Audit logs show access to sensitive files including .env, SSH keys, AWS credentials, and other secrets during the skill installation period. While canary integrity checks passed, indicating no modification or exfiltration occurred, the access itself raises security concerns.
MEDIUM Executable Shell Script with Argument Forwarding -15 ▶
The skill contains memphis-wrapper.sh, a shell script that executes the Memphis CLI with all user-provided arguments. This creates a potential code execution vector if an attacker can control the arguments passed to the wrapper.
MEDIUM Documentation Encourages Insecure Installation Practices -10 ▶
The skill documentation recommends installing Memphis CLI via 'curl -fsSL ... | bash', which is a known security anti-pattern that executes remote shell scripts without review. While not automatically executed, this guidance could lead users to compromise their systems.
LOW External URL References in Documentation -5 ▶
The skill documentation contains multiple references to external URLs including GitHub repositories and Discord servers. While these appear legitimate for documentation purposes, they could potentially be used for social engineering or to redirect users to malicious resources.