Pluginv0.3.2

ClawScan security

Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 6:58 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code, scripts, and runtime instructions are coherent with its stated purpose (semantic, persistent memory for OpenClaw); no unrelated credentials, installers, or network endpoints are requested — but review how it reads/writes transcripts and prompt templates before enabling automatic capture.
Guidance: This plugin appears to implement what it claims, but take these precautions before installing: - Review and accept that conversation summaries are stored as plain markdown under your OpenClaw workspace (~/.openclaw/...); these files are readable and may be version-controlled if you add them to a repo. - memory_transcript will read transcript files referenced by anchors in memory chunks. If your memory files or anchors point to transcripts outside the workspace or to files containing secrets, the plugin will surface that content. Consider turning autoCapture off (plugin config) if you don't want automatic writing of summaries. - The plugin supports external embedding providers (openai/google/etc.). If you change provider, you'll need to supply API keys; those keys are not requested by the plugin by default but will be used if configured. - The installer notes recommend uv/uvx and shows a curl | sh command as guidance; do not run network-install commands you haven't audited. Prefer package manager or official releases you trust. - The repository includes prompt templates (summarizer). Those templates direct model behavior for captured summaries — they are expected but review them if you have strict content-handling rules. If you want higher assurance, inspect the full index.ts (the truncated part shown registers tools and runs local commands), confirm the memsearch CLI source you will install, test in an isolated agent/workspace, and disable autoCapture until you're comfortable with its behavior.
Findings: [system-prompt-override] expected: A prompt-like instruction (e.g., 'You are a third-person note-taker') is present in prompts/summarize.txt. This is expected: the plugin ships a dedicated summarization prompt used to produce per-turn notes. It's a legitimate artifact but is why prompt-injection detectors flagged the package.

Review Dimensions

Purpose & Capability: okName/description match implementation: the code registers memory tools, injects recent memories, summarizes turns, writes/reads plain-markdown memory files under the OpenClaw workspace, and derives Milvus collection names. It does not ask for unrelated cloud credentials or system-wide access beyond the agent workspace.
Instruction Scope: noteSKILL.md and the code restrict activity to the agent workspace and memory files (~/.openclaw/workspace/.memsearch). The plugin reads session transcripts and memory markdowns and exposes a memory_transcript tool that will read transcript files referenced by anchors — this is expected for the feature but means the plugin can surface the contents of any transcript file it is pointed to. The included summarization prompt templates direct model behavior (expected), but you should be aware they are effectively system-style instructions for producing summaries.
Install Mechanism: okThere is no aggressive install spec embedded in the registry metadata (instruction-only). The repo contains an install.sh that uses local OpenClaw and uvx tooling; it only suggests (but does not automatically perform) a network installer (curl ... | sh) as a user hint. No archives are downloaded from untrusted shorteners or personal IPs by the package itself.
Credentials: okThe plugin declares no required env vars or credentials. Code reads standard env (HOME) and copies process.env when spawning commands — normal for a plugin. The plugin supports alternative embedding providers (openai, google, etc.); if you switch provider, you'll need to supply the appropriate API keys outside the plugin, which is expected but not declared as required by default.
Persistence & Privilege: okalways:false and user-invocable defaults are preserved. The plugin writes to its own paths under the OpenClaw workspace (~/.openclaw/extensions/memsearch and ~/.openclaw/workspace/.memsearch), registers hooks and tools for the agent, and does not attempt to modify other skills or global system configuration.