中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:2 days ago Rescan
15 /100
quint-memory
Quint Memory Guard - portable context layer for AI agents that preserves memory across sessions
A legitimate context memory skill with declared external API connectivity and standard credential storage patterns. Minor documentation gaps around credential paths do not constitute security violations.
Skill Namequint-memory
Duration32.4s
Enginepi
Safe to install
Consider documenting credential storage paths (~/.quint, ~/.openclaw/quint.json) in SKILL.md for transparency. Otherwise safe to use.

Findings 2 items

Severity Finding Location
Low
Undocumented credential storage
SKILL.md does not mention that credentials are stored in ~/.quint or ~/.openclaw/quint.json. This is standard practice but should be documented.
No mention of credential storage paths
→ Add 'What Quint Stores' section documenting ~/.quint for tokens and ~/.openclaw/quint.json for device credentials
 SKILL.md:1
Low
Setup script not referenced in documentation
SKILL.md describes the setup flow but does not mention the setup.sh script or its execution. Users are expected to run 'openclaw quint pair' not setup.sh directly.
Walk your user through this step by step
→ Consider documenting that setup.sh handles MCP server registration
 SKILL.md:71
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned handler.ts:31 reads ~/.openclaw/quint.json for device credentials
Network NONE WRITE ✓ Aligned setup.sh:71, handler.ts:40 POST to api.getquint.ai - documented purpose but not …
Shell NONE WRITE ✓ Aligned setup.sh:85 uses claude mcp add for legitimate MCP server registration
6 findings
🔗
Medium External URL 外部 URL
https://getquint.ai
README.md:3
🔗
Medium External URL 外部 URL
https://getquint.ai/signup
README.md:13
🔗
Medium External URL 外部 URL
https://api.getquint.ai/mcp
README.md:24
🔗
Medium External URL 外部 URL
https://relay.getquint.ai/v1/relay/status/[device_id
SKILL.md:84
🔗
Medium External URL 外部 URL
https://api.getquint.ai
SKILL.md:127
🔗
Medium External URL 外部 URL
https://nodejs.org
setup.sh:14

File Tree

4 files · 16.6 KB · 448 lines
Markdown 2f · 235L Shell 1f · 108L TypeScript 1f · 105L
├─ 📜 handler.ts TypeScript 105L · 3.0 KB
├─ 📝 README.md Markdown 37L · 1.0 KB
├─ 🔧 setup.sh Shell 108L · 3.9 KB
└─ 📝 SKILL.md Markdown 198L · 8.8 KB

Security Positives

✓ Uses environment variable QUINT_TOKEN and QUINT_PRINCIPAL_TOKEN instead of hardcoding credentials
✓ No credential exfiltration - tokens used only for authenticated API calls to declared endpoints
✓ Standard file permissions (chmod 600) applied to credential storage
✓ No base64-encoded payloads or obfuscated code
✓ External URLs all reference documented getquint.ai domain
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ Setup script provides proper error handling and user consent prompts
✓ Validates tokens against API before saving