smart-memory

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Both URLs point to third‑party code distributions — a GitHub releases page that may host unvetted native binaries (vec0.so) and a nonstandard package host (clawhub.ai) — so downloading and installing those binaries/packages from unfamiliar accounts is a plausible malware vector and should be treated as suspicious.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The README and installer include a one-liner that fetches and pipes a remote script to the shell (curl -sL https://raw.githubusercontent.com/BluePointDigital/smart-memory/main/install.sh | bash), which downloads and executes repository code at runtime, enabling arbitrary remote code execution.