Pluginv1.0.1

ClawScan security

Mirror Palace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 7:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package claims a tiny purpose but actually bundles a large personal workspace (memory, identity, backup scripts, and other skills) with instructions that reference external API keys and backups — the surface is broader and more sensitive than the minimal SKILL.md indicates.
Guidance: This package is suspicious because it contains a large personal workspace (identity, daily memory files, people profiles, and backup scripts) while offering almost no explicit purpose in its top-level SKILL.md. Before installing or enabling this skill: 1) Inspect and remove any files you wouldn't want an agent to read (memory/, USER.md, identity/person files). 2) Don't allow the skill to run unattended — it references cloud backup and memory plugins (OPENAI_API_KEY, SUPERMEMORY_API_KEY, MEM0_API_KEY) even though none are declared. 3) Review and sandbox the backup scripts (scripts/backup-to-icloud.sh, scripts/backup-primary-repos.sh) — they can move or upload local data. 4) If you only want the memory tooling, extract the specific sub-skill (elite-longterm-memory) and audit its SKILL.md and bin/elite-memory.js; do not install the whole repo with personal data. 5) If you don't trust the publisher or if the presence of personal logs is unexpected, do not install this skill. Additional useful info to change the assessment: an explicit top-level SKILL.md that documents intended runtime actions and a reduced manifest that excludes personal memory and backup scripts.

Review Dimensions

Purpose & Capability: concernThe top-level metadata (name: Mirror Palace; description: 'mirror-palace') gives no clear capability, yet the repository includes a full personal workspace: identity, user profile, daily memory logs, agent rules, backup scripts, and an included sub-skill (elite-longterm-memory). That much personal data and operational tooling is disproportionate to the stated/empty purpose. The presence of backup scripts and exports (backup-to-icloud.sh, backup-primary-repos.sh, logs/, memory/*, USER.md, IDENTITY.md) suggests the package is intended to operate on or expose local personal data — which does not match the minimal description.
Instruction Scope: concernThe provided SKILL.md is only a stub, but the repo contains many instruction files (AGENTS.md, BACKUP.md, various SKILL.md under subfolders) that tell an agent to read and write personal memory files, run backups, consult SESSION-STATE.md and MEMORY.md, and message a Telegram DM. AGENTS.md and other docs instruct agents to read SOUL.md, MEMORY.md, memory/YYYY-MM-DD.md, and to run local scripts. That scope includes reading and transmitting sensitive local state and running backup scripts — broader than a benign 'mirror-palace' skill would imply, and the top-level instructions are vague enough to grant broad discretion.
Install Mechanism: okThere is no install spec (instruction-only), which minimizes installer risk. However, the package includes executable scripts and a Node CLI (elite-memory) that would be present on disk when installed; although nothing is auto-downloaded during install, those files give an agent commands to run locally (init/status/today) and scripts to run backups. No external arbitrary download URLs were found in the manifest.
Credentials: concernTop-level requires.env lists none, but included sub-skill SKILL.md and docs reference several API keys and env vars (OPENAI_API_KEY, SUPERMEMORY_API_KEY, MEM0_API_KEY, and references to Telegram DM contact). The repo contains code and docs that would use credentials for memory plugins and cloud backups, yet the top-level metadata does not declare or limit these requirements — mismatch between referenced secrets and declared requirements. Also, the workspace contains many personal files (people/, memory/, USER.md) which are sensitive despite no env vars being required.
Persistence & Privilege: notealways is false and disable-model-invocation is false (normal). The primary concern is not the skill forcing itself into every session, but that it packages long-term personal memory and backup tooling into a skill a model could be allowed to run. That gives any agent invocation access to a large, sensitive workspace. The skill does not request modifications to other skills or agent configs, but it does include scripts that, if run, would persist backups and logs (local filesystem and iCloud paths).