Pluginv0.3.7

ClawScan security

DeepLake · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 3, 2026, 6:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin generally does what it advertises (auto-capture and auto-recall to DeepLake) but it writes credentials to the user's home, modifies OpenClaw config, and the SKILL metadata/instructions understate those side effects — these mismatches warrant caution.
Guidance: This plugin legitimately implements a cloud-backed memory: it will automatically capture user and assistant messages and store them in DeepLake, and it uses a device-auth flow that creates and saves tokens under ~/.deeplake/credentials.json. It also edits your OpenClaw config (~/.openclaw/openclaw.json) to ensure it is loaded on restart. Before installing: 1) Confirm you are OK with all conversations being sent to deeplake.ai and shared across agents in the same DeepLake organization; 2) Review DeepLake's privacy/retention policies and your org membership settings; 3) After install, inspect ~/.deeplake/credentials.json and ~/.openclaw/openclaw.json to verify what was written; 4) If you want to limit exposure, disable autoCapture/autoRecall in plugin config or run the plugin in a restricted/sandboxed environment; 5) The SKILL.md claims read-only behavior but the code writes files and modifies config — treat the metadata as incomplete and audit the package source if this matters for your security posture.

Review Dimensions

Purpose & Capability: noteThe name/description match the code: the plugin auto-captures assistant/user messages and searches/writes them to DeepLake via REST. There are no unrelated external endpoints or unexpected binaries. Minor mismatch: the agent-facing SKILL metadata indicates read-only behavior (allowed-tools: Read) while the plugin performs writes to disk and network.
Instruction Scope: concernThe human-facing SKILL.md and README omit two runtime behaviors present in the code: saving auth tokens to ~/.deeplake/credentials.json and mutating ~/.openclaw/openclaw.json to add load paths. SKILL.md claims 'Zero config' and doesn't explicitly disclose on-disk writes or changes to OpenClaw config. The plugin auto-captures all conversation messages and sends them to DeepLake cloud — this is consistent with purpose but is a broad data-collection action that users should be explicitly warned about.
Install Mechanism: okNo external downloads or extract-from-URL installs. Code is included in the package; network use is limited to api.deeplake.ai which matches the stated provider. package.json declares an npm spec but there is no opaque installer URL.
Credentials: noteThe skill requests no environment variables and uses a device-auth flow to obtain a token. It stores tokens locally (~/.deeplake/credentials.json) and attempts to create long-lived tokens via the DeepLake API — this is proportionate to providing persistent cloud-backed memory but carries privacy/credential-storage implications (tokens are created and persisted to disk).
Persistence & Privilege: concernThe plugin writes credentials to the user's home and mutates the user's OpenClaw configuration (~/.openclaw/openclaw.json) to add plugin load paths so its hooks fire — this modifies global agent config and increases persistence. always:false, but the config mutation is a notable privilege/scope change that should be disclosed to users and admins.