Pluginv0.3.7

ClawScan security

DeepLake Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 2, 2026, 10:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what it says (captures and shares agent conversations to DeepLake) but it automatically persists conversation data to a cloud org, creates long-lived API tokens, and modifies the host OpenClaw config file — behaviors that are privacy-sensitive and deserve caution.
Guidance: This plugin appears to be what it claims: a shared memory service that automatically uploads conversations to DeepLake and re-injects recalled memories into agent prompts. Before installing, consider: 1) privacy — conversations (user and assistant messages) will be sent to the DeepLake cloud and become searchable by anyone in the same DeepLake organization; don't use this in sensitive/system contexts without explicit consent. 2) Token lifetime — the plugin attempts to create a long-lived API token (~1 year) and stores it at ~/.deeplake/credentials.json; review and revoke the token in your DeepLake dashboard if necessary. 3) Local config changes — it will edit ~/.openclaw/openclaw.json to add its load path; back up that file and be aware of config changes. 4) If you want to limit exposure, disable autoCapture and/or autoRecall in plugin config (openclaw.json → plugins.entries.deeplake-plugin.config) or test the plugin in a non-production org/account first. If you need higher confidence, inspect the listed source files locally (dist/ and src/) and verify tokens created on DeepLake match your expectations.

Review Dimensions

Purpose & Capability: okName/description match the code: the plugin auto-captures conversations and auto-recalls them from DeepLake via REST. There are no unexpected third-party credentials or unrelated binaries requested.
Instruction Scope: concernRuntime behavior captures every user and assistant message (autoCapture default true) and uploads them to DeepLake cloud; it also injects recalled memories before agent turns. These actions are coherent with a 'shared memory' plugin but are privacy-sensitive: the plugin will transmit conversation content off-host and make it searchable by anyone in the same DeepLake organization. The README/SKILL.md claim 'Zero config' but the code also writes an auth prompt into agent replies and edits local OpenClaw config to ensure hooks fire (see addToLoadPaths).
Install Mechanism: okNo external installs or downloads; this is an instruction-only plugin (code included in the package) and uses only fetch() and node fs APIs. No URL shorteners or remote code downloads are present.
Credentials: noteNo environment variables or external secrets are requested, and credentials are obtained via a device-code flow. The plugin creates and saves an API token (attempts to create a long-lived token with ~1 year duration) to ~/.deeplake/credentials.json (file mode 0600). Creating long-lived tokens and storing them in the user's home directory is expected for this purpose but is sensitive — tokens should be reviewed and revoked if needed.
Persistence & Privilege: concernThe plugin writes into host config (~/.openclaw/openclaw.json) to add its install path to plugins.load.paths so hooks run after restart. Modifying the global OpenClaw config is a broader system change than merely storing its own credentials and may affect how other plugins are loaded. always is false and model invocation is allowed (normal), but combined with automatic capture and cloud sync this increases blast radius.