Pluginv0.4.30

ClawScan security

episodic-claw (Based on Human Episodic Memory) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 10:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (an episodic memory engine), but there are several mismatches and risky behaviors (undeclared env usage, a hidden postinstall binary download, and system-prompt injections) that merit caution before installing.
Guidance: Key things to consider before installing: - Transparency mismatch: the package metadata claims no required environment variables, but the code reads at least OPENROUTER_API_KEY and honors EPISODIC_SKIP_POSTINSTALL. Expect to supply API keys if you want remote embedding/reasoning; do not provide keys you don't trust sending conversation data to. - External network activity at install: the package's postinstall script downloads a prebuilt Go sidecar binary from GitHub Releases into dist/. If you want to avoid running a third-party binary, either set EPISODIC_SKIP_POSTINSTALL=1 and install the sidecar manually from a verified release, or build the sidecar from source yourself. - Data exfiltration surface: when configured with external APIs (Gemini/OpenRouter), conversation content (memories) will be sent to those services for embedding/reasoning. If you need to keep conversations fully local, do not configure remote API keys or review the code paths to ensure a local-only mode is used. - System-prompt injection: the plugin intentionally injects memory content and bridge texts into the model's system prompt to implement recall/compaction. This behavior is necessary for the feature but is powerful — verify you trust the plugin's logic and templates (compactor/anchor texts), because they influence future model outputs. - What to do now: review the repository (https://github.com/YoshiaKefasu/episodic-claw), inspect the GitHub release artifacts (and checksums/signatures if provided), consider running in an isolated environment, and prefer building the sidecar from source if you cannot verify the binary. If you plan to use external providers, only supply API keys with appropriate least-privilege and in accounts you control. If unsure, treat this skill as experimental and test with non-sensitive conversations first.
Findings: [system-prompt-override] expected: The skill intentionally constructs and injects bridge/anchor/system messages into the model prompt to implement compaction and recall. This is an expected behavior for a memory plugin, but it is sensitive because it changes the model's system prompt and could be used to influence model behavior if misused.

Review Dimensions

Purpose & Capability: noteThe name/description (episodic memory) align with the included code: the package contains index, compactor, retriever, archiver, anchor-store, and clients for external embedding/reasoning services (Gemini, OpenRouter). However, the package's runtime reads environment/configuration for external APIs (e.g., OPENROUTER_API_KEY) even though the skill metadata declares no required env vars — a mismatch between declared requirements and actual code that the user should know about.
Instruction Scope: concernSKILL.md and the code show the plugin will intercept turns, build recall queries, and inject past memories into the model's system prompt (memory injection/bridge texts). A pre-scan detected 'system-prompt-override' patterns: the skill deliberately generates text that gets inserted into system prompts (expected for a memory plugin) but this behavior is sensitive because it modifies the system prompt and could affect model behavior. The SKILL.md also describes calling external embedding/reasoning endpoints (Gemini/OpenRouter) — which implies user data (conversation content) will be sent to third-party APIs when configured.
Install Mechanism: noteThere is no declared install spec in registry metadata, but the package includes a scripts/postinstall.cjs which downloads a platform-specific Go sidecar binary from GitHub Releases into the package's dist/ folder at install time. Downloading an executable is a reasonable design for a sidecar, and GitHub Releases is a well-known host, but it is still an arbitrary binary that will be written to disk and potentially executed by the host — users should verify the release source or build the sidecar locally. The presence of this postinstall script is an important runtime/install action that was not reflected in the registry 'install spec'.
Credentials: concernDeclared requirements list no environment variables, but the code reads environment/configuration values (notably process.env.OPENROUTER_API_KEY and EPISODIC_SKIP_POSTINSTALL). The plugin includes clients for external services (Gemini, OpenRouter) which will require API credentials to operate; requiring these keys is proportional to the feature, but the omission from the declared metadata is a transparency issue. Users should assume conversation data will be transmitted to any external API they configure.
Persistence & Privilege: okalways:false and the skill does not request system-wide privileges. It reads and writes files within the agent workspace (anchor.md, episode files) and caches a sidecar binary under dist/. That file I/O is expected for a memory engine and the skill does not appear to modify other skills or global agent settings. Autonomous invocation is allowed (default) — expected for a plugin — but combine this with the other concerns (external API access and binary download) when deciding trust.