Pluginv0.1.0

ClawScan security

MetaInsight Context Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 3:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and instructions match a context-engine that uploads local memory files to Tencent COS/CI and injects recalled content into the model prompt — this is coherent with its stated purpose, but there are mismatches in declared metadata and a few behaviors (prompt-layer replacement, automatic scanning/upload of many local files) that raise privacy/privilege concerns and deserve careful review before enabling.
Guidance: This plugin appears to implement what it advertises: automatic syncing of MEMORY.md, daily logs and referenced assets to Tencent COS and using CI datasets for semantic recall. However: - Do not enable it unless you trust the package source. The registry metadata omitted required credentials (SecretId/SecretKey/APPID) even though the plugin requires them — treat that as a quality/attention-to-detail red flag. - Grant the plugin only a least-privilege Tencent account: create a dedicated CAM subaccount with the minimal COS + CI permissions listed (bucket creation, PUT/GET/DELETE objects, CreateDataset/CreateDatasetBinding/search) rather than using your full-owner credentials. - Audit what local files will be uploaded: by default it scans many extensions (images, pdfs, docx, csv, md, txt). If you have sensitive files in your workspace, disable localMemorySync or narrow syncFileExtensions before enabling. - Be aware it registers hooks that can modify the system prompt and inject recalled content into every turn; this is intended but gives the plugin active influence over LLM behavior. If you need isolation, run in a test agent or sandbox first. - Check and/or change the debug and cache locations (~/.openclaw/.sync-hash-cache.json, ~/.openclaw/debug/) if you’re concerned about local traces. - If anything looks unexpected (unknown upstream, missing package signing, or odd remote endpoints), do not provide credentials; inspect cos-bootstrap.ts / cos-operations.ts and test in an isolated environment. If you want, I can: (a) extract the exact API calls the bootstrap will make, (b) show which local paths the code will scan and upload, or (c) draft minimal CAM policy JSON granting only the required permissions.
Findings: [system-prompt-override] expected: The pre-scan flagged 'system-prompt-override' content. The plugin explicitly registers a before_prompt_build hook and code to replace the 'Memory Recall' section of the system prompt — this is expected for a context engine, but the capability to override system-prompt layers increases the risk if the plugin is untrusted.

Review Dimensions

Purpose & Capability: noteThe name/description claim a Tencent COS+CI-backed context engine; the code implements bootstrapping buckets/datasets, uploading MEMORY.md, daily logs and assets, and performing CI hybridsearch. Requiring Tencent SecretId/SecretKey/APPID is proportionate to that purpose. However the registry metadata presented earlier states "Required env vars: none / Primary credential: none", which is inconsistent with the plugin's documented and implemented requirement for Tencent credentials in configuration (openclaw.plugin.json and SKILL.md).
Instruction Scope: concernRuntime instructions and code will scan workspace directories (~/.openclaw/workspace or parent directories of sessionFile), parse MEMORY.md and daily logs, extract referenced assets and upload a wide range of local files (images, docs, PDFs, spreadsheets, text). The plugin also registers before_prompt_build hooks that replace parts of the system prompt (Memory Recall layer) and caches system prompts per-session. Those behaviors are functionally consistent with a context-engine but mean the skill will read and transmit potentially sensitive local files and will actively modify the system prompt content the LLM sees — both are powerful actions that users must explicitly consent to.
Install Mechanism: okThere is no opaque download/install-from-URL behavior; this package is distributed with source and a normal package.json that depends on cos-nodejs-sdk-v5 (npm). No install spec is included (user installs via OpenClaw CLI or manually and runs npm install). No extract-from-arbitrary-URL installs were detected.
Credentials: concernThe plugin legitimately needs Tencent SecretId / SecretKey / APPID to create buckets, upload objects and call CI. That scope is appropriate for the declared integration. However the registry metadata omitted these required credentials, which is inconsistent. The plugin will also access local files under the workspace (including many file extensions by default), write debug/system prompt caches to ~/.openclaw, and persist a hash cache — these filesystem accesses are expected for sync functionality but increase the sensitivity of the credentials you grant (they permit uploading arbitrary workspace content).
Persistence & Privilege: notealways:false (not force-included) and normal autonomous invocation are used. The plugin registers hooks (llm_input, before_prompt_build, after_tool_call) and will run background sync tasks (file watchers, periodic sync every N turns). That lifecycle fits a context-engine but granting it the ability to override system-prompt layers and to run file-system watchers means it has ongoing influence over conversation context and can autonomously upload data when enabled — a meaningful privilege that should be consciously granted.