Pluginv27.2.15

ClawScan security

Gralkor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 11:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement the described memory plugin functionality, but it embeds and runs a local Python server, asks you to provide LLM API keys and a persistent data directory (which the manifest does not declare), and requires a forced/unsafe install — these inconsistencies raise caution before installing.
Guidance: Before installing: (1) Review server/main.py and any scripts that spawn subprocesses — confirm what is executed and what external network calls are made. (2) Choose a dedicated, restricted dataDir (not your home directory) because the plugin will persist full session transcripts, thoughts, and tool outputs. (3) Provide only the minimal LLM credential you trust and consider using a scoped key or a dev account to limit exposure; the package supports multiple providers but you only need one. (4) Prefer to run this plugin in an isolated environment (VM or container) until you audit it. (5) If you rely on the registry metadata for minimal privilege checks, note the manifest omission of required API keys/binaries — ask the author to correct metadata and to justify the 'unsafe' install flag. (6) If you are not comfortable with a plugin auto-capturing and sending all agent messages to a local process that may call external LLMs, do not enable the auto-capture/auto-recall hooks.

Review Dimensions

Purpose & Capability: noteThe code and hooks (Graphiti client, hooks for agent lifecycle, distillation, server/main.py) match the stated purpose of a long-term memory plugin using Graphiti/FalkorDB. However the manifest declares no required env vars and no required binaries while the README/.env.example and config support multiple LLM provider keys and require Python 3.12 and the 'uv' runtime; that mismatch between claimed minimal requirements and the files/instructions is an incoherence that should be resolved.
Instruction Scope: concernRuntime instructions and code enable auto-capture of entire sessions (messages, 'thoughts', tool uses) and distillation via an LLM. Captured data is persisted to a user-specified dataDir and sent to a local Graphiti server process which itself may call external LLM/embedding providers using API keys. The plugin therefore collects broad conversational context (including potentially sensitive content) and transmits it to a local process that performs network calls; this is within the plugin's stated purpose but is high-impact and should be clearly understood before enabling.
Install Mechanism: concernThere is no formal install spec in the registry metadata (instruction-only), yet the package contains an embedded Python server (server/main.py), uv.lock, and many distributable artifacts. The README explicitly asks users to use '--dangerously-force-unsafe-install' because the install-time scanner flags the embedded Python server. Installing will create files, require Python/uv, and will run a managed subprocess — higher-risk than a pure instruction-only plugin.
Credentials: concernThe registry metadata lists no required environment variables, but .env.example, config types, and the SKILL.md show that an LLM API key (Google/OpenAI/Anthropic/Groq etc.) must be supplied (either via plugin config or host env). Accepting multiple provider keys as optional is reasonable for a multi-provider plugin, but the manifest omission is inconsistent. Also the plugin will persist session data to a chosen dataDir and may index user files; providing LLM keys and a persistent directory grants the plugin access to sensitive material and to external APIs.
Persistence & Privilege: noteThe skill does not request 'always: true' and does not modify other plugins' configurations, but it runs a long-lived managed subprocess and stores persistent data in a user-specified dataDir that survives reinstalls. That persistence is expected for long-term memory but increases blast radius (stored memories, local server with network access).