Back to plugin
Pluginv0.1.0
ClawScan security
Notes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 28, 2026, 10:04 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The plugin's code and behavior largely match a local notes tool, but the SKILL.md contains metadata that would force always-on activation (conflicting with registry flags) and warrants caution before enabling.
- Guidance
- The plugin's code implements a straightforward local notes store and is coherent with its description, but check the SKILL.md metadata: it sets openclaw.always=true (making the plugin always considered for invocation). Confirm whether you want a notes plugin to be always active — if not, disable or remove that metadata before installing. Also review or restrict the configured storagePath so the plugin cannot be pointed at sensitive files, and inspect the package-lock or run the build in an isolated environment if you want to validate third-party dependencies before use.
Review Dimensions
- Purpose & Capability
- okName/description align with the implementation: the code implements local note creation, search, append history and storage to a JSON file (default ~/.openclaw/state/notes/notes.json). No network calls or unrelated binaries are requested. The package-lock shows many npm packages, but that is likely due to transitive dependencies (e.g., the platform's 'openclaw' dependency) rather than the plugin itself requesting unrelated credentials or services.
- Instruction Scope
- noteSKILL.md runtime instructions limit behavior to the notes_* tools and local JSON storage; the code reads/writes only the configured storagePath and does not reference other system files or network endpoints. However the skills/notes/SKILL.md includes YAML metadata setting openclaw.always to true, which expands runtime scope by telling the agent to always consider using these tools — this is not explained or justified in the prose and is a behavioral expansion compared with a normal optional plugin.
- Install Mechanism
- okThere is no remote download URL or extract step; installation is standard npm (the README suggests npm install and build). No suspicious external download hosts are used. The package-lock contains many dependencies (truncated in the manifest) but they appear to come from normal npm packages; there is no evidence of custom remote installers or URL-shortened downloads.
- Credentials
- okThe plugin declares no required environment variables or credentials. It only needs filesystem access to read/write the user-storage JSON file. Note: storagePath is configurable and can point to any path the user supplies; this is expected for a notes plugin but means a user-supplied path could overwrite files if misconfigured.
- Persistence & Privilege
- concernThe SKILL.md header includes metadata setting openclaw.always to true (skills/notes/SKILL.md). That would make the skill persistently eligible for invocation on every agent run. The registry metadata provided with the skill shows always: false at the top-level, so there is a discrepancy between the registry flags and the SKILL.md metadata. 'always: true' is a significant privilege and should only be used with clear justification.