Pluginv0.2.2

ClawScan security

Spark Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 29, 2026, 9:16 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code, config, and runtime instructions are coherent with a cloud-backed memory service: it sends conversation snippets to the vendor API (zellin.ai) for storage and nightly processing; the requested credentials (API key + org id) match that purpose, but the feature set (org-shared memory, auto-capture, nightly reflection) has substantial privacy implications you should review before enabling.
Guidance: This plugin appears to do what it says: it uploads selected conversation content to a Spark (zellin.ai) API for persistent, org-scoped memory and nightly reflection. Before installing, consider: 1) Privacy: org-scoped memories mean multiple agents/users in the same org can access stored data — do not enable this for sensitive teams without policy review. 2) Auto-capture: default enabled; disable autoCapture if you don't want automatic extraction. 3) Redaction limits: the plugin uses regex redaction which can miss secrets — avoid sharing passwords, API keys, credentials, or PHI in chats you allow the plugin to capture. 4) Data lifecycle: ask the vendor (zellin.ai) about retention, encryption at rest, deletion/forget APIs, and who can access org memories. 5) Keys & rotation: store the SPARK_API_KEY securely and plan key rotation if you revoke access. 6) Endpoint control: the plugin allows overriding apiUrl — consider using a self-hosted or enterprise endpoint if available. 7) Audit the full source (the provided index.ts was truncated in the review) or request a full code/audit if you plan to use it in production. If you need tighter privacy guarantees, do not enable autoCapture and test with non-sensitive data first.

Review Dimensions

Purpose & Capability: okName/description, openclaw.plugin.json, SKILL.md, and the code all describe a cloud-backed memory service and require an API key + org ID. The plugin's network calls and config fields align with storing and recalling memories from a remote Spark API (zellin.ai). There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: noteRuntime instructions and code explicitly capture conversation content, sanitize it with redaction rules, and POST data to the vendor API for recall/insights/nightly reflection. The SKILL.md tells users to set SPARK_API_KEY/SPARK_ORG_ID and integrate the plugin into OpenClaw. The plugin enforces some prompt-injection and PII-redaction checks, but it still transmits session content to a third-party cloud — which is within the declared scope but is a significant privacy surface (and the redaction regexes may not catch every secret).
Install Mechanism: okNo external download/install spec is present; the plugin is delivered as source files packaged with the skill. There are no installer URLs or archived downloads that would introduce supply-chain risk. package.json lists a small dependency (@sinclair/typebox) but no installation-time fetch from arbitrary hosts is specified in the provided metadata.
Credentials: noteThe plugin requires only an API key and org id (declared in plugin JSON / SKILL.md), which is proportionate to a cloud memory service. However, the plugin stores org-scoped memories (multiple users share the same org memory) and auto-capture defaults to enabled; this increases the risk of sensitive data being shared across users. The code attempts to redact obvious PII and prompt-injection phrases, but regex-based redaction is imperfect — treat transmission of confidential content as possible.
Persistence & Privilege: notealways:false (normal). The plugin persists user conversation summaries and supports nightly reflection in the vendor cloud — persistent storage and periodic processing are core features. It does not request elevated system privileges or modify other plugins' configs, but persistence and org-wide sharing expand the blast radius for any data leaks.