ClawAudit verdict
rune
A self-described 'self-improving' memory system that installs via a script, injects context into every conversation, tracks behavioral patterns, and routes notifications to external channels (Discord, DM); the combination of persistent cross-session behavioral tracking, automatic context injection, and external channel routing warrants scrutiny even without concrete evidence of malice.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Permission integrity
package_install
Findings (7)
Possible hardcoded credential
install.sh · prose · downgraded · API_KEY='your-key
Uses exec() — may execute shell commands
src/advanced-memory.js · prose · downgraded · exec(
Dynamic import() — loads module at runtime
src/cli.js · prose · downgraded · import('
References sudo — requests elevated privileges
src/extract.js · prose · downgraded · sudo
Popular HTTP library — network access
package.json · prose · downgraded · node-fetch
Accesses sensitive environment variables
src/extract.js · prose · downgraded · process.env.OPENAI_API_KEY
References agent memory files
src/self-improvement.js · prose · downgraded · memory.md
Why the tier is capped
Execution sink present in raw bytes (Hard Floor: class B/D). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.
Permissions & capabilities
No declared permissions — minimal attack surface.
package_install Is this flag fair?
Thanks — recorded.