nexo-brain 安全扫描报告 — 低风险 | ClawSafe

15 /100

nexo-brain

Cognitive memory system for AI agents — Atkinson-Shiffrin memory model, semantic RAG, trust scoring, and metacognitive error prevention

NEXO Brain is a well-documented cognitive memory skill with no embedded code, only a metadata file that describes installing a legitimate npm package and configuring an MCP server.

技能名称nexo-brain

分析耗时25.1s

引擎pi

✓

可以安装

This skill is safe as delivered. However, verify the npm package 'nexo-brain' integrity before installation, as the skill defers execution to an external package. No local security risks from the SKILL.md file itself.

安全发现 1 项

严重性	安全发现	位置
低危	External npm package dependency 供应链 The skill instructs users to install 'nexo-brain' from npm without specifying a version hash or checksum for verification. The actual code executes from the external package. `package: nexo-brain` → Add a cryptographic hash (SHA256) or content-verified integrity check for the npm package to prevent supply chain tampering.	`SKILL.md:11`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in SKILL.md
网络访问	`NONE`	`NONE`	—	No network calls in skill file; only documentation URLs
命令执行	`NONE`	`NONE`	—	No shell commands in SKILL.md
环境变量	`NONE`	`NONE`	—	No environment access
技能调用	`NONE`	`NONE`	—	No inter-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser access
数据库	`NONE`	`NONE`	—	Skill references SQLite usage but only in documentation

1 项发现

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/package/nexo-brain

SKILL.md:101

目录结构

1 文件 · 3.5 KB · 101 行

Markdown 1f · 101L

└─ 📝 SKILL.md Markdown 101L · 3.5 KB

安全亮点

✓ No embedded code or scripts in the skill file

✓ Complete documentation of intended functionality

✓ No credential harvesting or environment variable access

✓ No network calls or data exfiltration channels

✓ No obfuscation or base64-encoded content

✓ Clear separation between skill metadata and actual implementation