atxp-memory

[Skill Scanner] Installation of third-party script detected No direct malware indicators are present in the specification. The feature set is coherent with the stated purpose. The primary security concerns are data-exfiltration/privacy risk from uploading potentially sensitive .md files to ATXP cloud and standard supply-chain risk when installing optional npm dependencies. Recommend: (1) users verify what files they store in .md before running push; (2) confirm ATXP server endpoints, data retention, and encryption-at-rest policies; (3) avoid installing unpinned optional dependencies or review @zvec/zvec package integrity; (4) secure storage and limited scope for ATXP_CONNECTION tokens. Overall the skill appears functionally consistent but carries moderate privacy/supply-chain risk due to cloud backup and optional third-party installs. LLM verification: The document describes a plausible and useful memory-management tool focused on Markdown files with local vector search and cloud backup capabilities. The core risk is supply-chain: commands use npx atxp@latest and require npm installs (un-pinned), so arbitrary remote code can be executed locally and could exfiltrate more than '.md' files or mishandle credentials. The 'only .md' and 'limited filesystem' guarantees are unverified in this spec and must be validated by reviewing the actual package