Pluginv0.6.0

ClawScan security

Memrok · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 9:06 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and behavior match its stated purpose (local graph-based memory curation); it can read session transcripts and optional workspace Markdown and may call configured remote models — these behaviors are documented and opt-in.
Guidance: This plugin is internally coherent for local-first, judged memory curation. Key things to consider before installing: (1) bootstrap (scanning workspace Markdown) is opt-in — keep it disabled unless you want broad file ingestion; (2) if you configure a remote scribe provider/model, session transcripts and selected file contents will be sent to that provider — prefer local models if privacy is a concern; (3) the plugin stores sensitive data in ~/.memrok/memrok.db — secure and back it up appropriately or change dbPath; (4) review the bundled system/reflection prompts (in dist/) before enabling remote providers to ensure they don't include behavior you dislike; (5) consider turning off reflective scribe or evalEvents if you want minimal exfiltration surface. If you want higher assurance, review the repo source (provided) and run the local inspection scripts (dry-run) the SKILL.md documents before enabling persistence or remote providers.
Findings: [system-prompt-override] expected: The package includes system and reflection prompts (dist/system-prompt.md, dist/reflection-prompt.md). That appears intentional: the scribes need explicit system prompts to guide extraction/reflection. It's expected for a scribe-based memory plugin, but you should review those prompts because they run against whichever model provider you configure.

Review Dimensions

Purpose & Capability: okName/description (graph-based memory curation) align with the code and runtime instructions: watching transcripts, persisting into a local SQLite DB (~/.memrok/memrok.db), deriving artifacts with 'scribes', and injecting curated headers. No unrelated credentials, binaries, or surprising install steps are requested.
Instruction Scope: noteSKILL.md and bundled prompts instruct the plugin to watch OpenClaw session directories and (optionally) scan workspace Markdown files when bootstrap is enabled. That file/system access is consistent with the stated goal but is a privacy-sensitive surface: enabling bootstrap or using remote scribe providers will transmit conversation/file content to those providers. Defaults (bootstrap off, local DB) favor local-first operation.
Install Mechanism: okNo external download/install URLs are present in the manifest; the package contains source and built JS. Installation is via the OpenClaw plugin system (openclaw plugins install clawhub:memrok). No extract-from-unknown-URL or remote installers were detected.
Credentials: okThe skill declares no required env vars or credentials. It relies on OpenClaw's model plumbing for provider API keys (i.e., it will use whatever model/provider the OpenClaw runtime supplies). This is proportionate to a plugin that can be configured to use remote LLM providers.
Persistence & Privilege: okalways:false (no forced global inclusion). The plugin persists a local SQLite DB and optional eval logs; this is expected for a memory/curation plugin. It does not request or modify other skills' configs in the provided artifacts.