Pluginv0.4.3

ClawScan security

Neotoma · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 9:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and CLI mostly match a local MCP server, but the runtime instructions and some packaged CLI behaviors ask agents to inspect broad local context and to modify other tooling/config files (symlinks, IDE/agent rule files), which is disproportionate and surprising.
Guidance: This package appears to implement the Neotoma MCP server (code matches the description), but two things raise caution: (1) the SKILL.md encourages agents to inspect "any broader tool, workspace, and configuration context you can access" and to perform installs/configuration autonomously — that grants broad read/action permission; (2) the CLI includes functions that will write to project and user-level agent instruction files (e.g., ~/.cursor, .claude, .codex, project .cursor/.claude paths), break symlinks, and auto-update rule files. Before installing or letting an agent run the recommended 'agent-driven install' flow, consider: - Review the package source (package.json, openclaw.plugin.json) and any npm package metadata to confirm publisher and integrity. - Prefer manual install in an isolated environment or container (audit what files the CLI will write and what commands it runs). - Do not allow autonomous agent invocation to perform installs or to scan your entire workspace unless you explicitly trust it; require manual confirmation for any filesystem or home-directory writes. - If you need this capability, ask the maintainer for an explicit list of paths the CLI may modify and an explicit opt-in flow (no silent breaking of symlinks). Additional information that would raise confidence to 'benign': explicit, limited prompts (no sweeping 'inspect all context'), and documented opt-in behavior for any writes to user/home config files with clear user consent.
Findings: [system-prompt-override] unexpected: SKILL.md contains prompts that tell the agent to 'inspect any broader tool, workspace, and configuration context you can access' before answering and to run install/configuration steps. For a memory storage service, asking an agent to scan arbitrary workspace/context is broader than necessary and matches a prompt-injection pattern.

Review Dimensions

Purpose & Capability: noteThe name/description (MCP server for deterministic personal-memory) aligns with the included source code (HTTP server, OAuth, MCP bridges, storage, embeddings). However, the package also contains CLI helpers that scan and modify project and user-level IDE/agent instruction files (e.g. .cursor/.claude/.codex paths) which is broader than a pure storage/MCP server and may surprise users.
Instruction Scope: concernSKILL.md instructs agents to 'inspect any broader tool, workspace, and configuration context you can access' and to 'install, activate it with my data, and configure my current tool' — this gives the agent broad, discretionary permission to read environment state and run installers. The packaged CLI code implements functions that will read and write user-level rule files, break symlinks, and auto-update instruction files — operations outside simple memory storage and notable scope creep.
Install Mechanism: noteThe registry declares no install spec but the repo contains a full dist and package.json; SKILL.md suggests using 'npm install -g neotoma' (pulling from npm) or Docker. npm installs are common but introduce moderate risk (remote package execution). There is no opaque download URL in the registry metadata, but the instruction to let an agent perform installs autonomously is potentially risky.
Credentials: concernThe skill declares no required env vars/credentials, yet runtime instructions explicitly ask the agent to inspect the broader workspace and configuration context beyond any declared variables. The code also contains routines that touch user-level config locations (home dirs) and project files, which is disproportionate to what a user might expect from a memory server unless they explicitly consent.
Persistence & Privilege: concernThe skill is not 'always' enabled, but code includes functions that write to other tools' instruction files, create/break symlinks, and offer to write into ~/.cursor, ~/.claude, ~/.codex and project rule paths. That modifies other tooling and agent configuration beyond the skill's own files, which is a significant persistence/privilege surface and should be made explicit and opt-in.