Pluginv0.9.9

ClawScan security

Plur Claw Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 11:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin is generally coherent with a local persistent-memory purpose, but it auto-modifies OpenClaw configuration and the agent's system prompt (telling the agent not to ask permission), and it wires in an npx-run MCP server — behaviors users should review before installing.
Guidance: What to check before installing: - Review package contents and source: the bundle includes dist/*.js and a postinstall step (node dist/setup.js) which will attempt to edit ~/.openclaw/openclaw.json to enable the plugin and add an MCP server entry. If you prefer manual control, do not run the postinstall; run the included setup command yourself (npx @plur-ai/claw setup) or edit your OpenClaw config manually. - Inspect the system prompt edits: the plugin appends a PLUR instructions block to SYSTEM.md that tells agents to use persistent memory and explicitly says "Do not ask permission to use these tools." If you are uncomfortable with agents autonomously learning or changing behavior without explicit user consent, do not enable auto_learn/auto_capture or remove that section before enabling. - Review the MCP wiring: the plugin configures mcp.servers.plur to run `npx -y @plur-ai/mcp` (with PLUR_PATH defaulting to ~/.plur). That means the system will fetch/run code from npm when the MCP server starts. If you need air-gapped operation or want to vet the mcp package, install @plur-ai/mcp from a vetted source or vendor it locally. - Backup your OpenClaw config first (~/.openclaw/openclaw.json). After install, inspect the file for changes and verify only expected entries were added. - If you want to reduce risk: disable auto_learn and auto_capture in the plugin config, set a restrictive injection_budget, or run the plugin in a test agent/workspace first. Also review @plur-ai/core and @plur-ai/mcp packages (their source and network behavior) if you need higher assurance. - Confidence note: medium — the package is internally coherent for a memory plugin, but the automatic config changes and system prompt modification (instructing autonomous behavior) are behaviorally significant and merit explicit user consent and review.

Review Dimensions

Purpose & Capability: okName/description (PLUR memory for OpenClaw) matches the code and manifest: the package implements a 'memory' context engine, injects memory instructions into the system prompt, and persists data under a PLUR path. Enabling itself in OpenClaw config and registering an MCP server is consistent with a memory plugin that needs a local service.
Instruction Scope: concernThe plugin appends a large PLUR memory section to the agent's SYSTEM.md/system prompt and explicitly instructs agents: "Do not ask permission to use these tools — they are your memory system." It also instructs the agent to read the filesystem (Read/Grep/Glob) and to prefer memory recall before external search. These are functionally coherent but grant the plugin broad autonomous behavior and persistent modification of agent prompts — a notable scope increase that should be understood before enabling.
Install Mechanism: noteThere is no external 'install' spec in the registry, but the package includes a postinstall script (node dist/setup.js) that attempts to auto-edit ~/.openclaw/openclaw.json to enable the plugin and add an mcp.servers.plur entry that runs `npx -y @plur-ai/mcp`. The postinstall itself is local, but the configured MCP command will cause npx to fetch/run code from npm at runtime. This behavior is reasonable for a plugin that needs a helper service but is something to review.
Credentials: okThe package does not request credentials or declare required env vars. It honors OPENCLAW_HOME and PLUR_PATH as optional overrides. No unrelated secrets or credentials are requested in the manifest or code.
Persistence & Privilege: concernThe package writes to the user's OpenClaw config (~/.openclaw/openclaw.json) during setup to enable itself and to configure an MCP server, and it appends persistent instructions to the system prompt. Although 'always' is false, these persistent changes alter agent behavior and grant the plugin ongoing influence over the agent's prompts and memory usage — exercise caution and review/change defaults (auto_learn/auto_capture) if needed.