Pluginv0.1.5

ClawScan security

ClawXMemory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 3, 2026, 8:49 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The plugin's codebase matches a local-memory + UI plugin, but the runtime SKILL.md is incorrect/contains package JSON and prompt‑injection markers and the package lock contains many unrelated SDKs — these inconsistencies warrant caution before installing.
Guidance: Do not install this skill yet. Issues to resolve before trusting it: - SKILL.md mismatch: The published SKILL.md appears to contain the package.json contents instead of clear runtime instructions the agent should follow. Ask the author to publish a proper SKILL.md describing exactly what commands the agent will run and what files/paths it will read/write. - Prompt-injection markers: The SKILL.md triggered 'system-prompt-override' and 'unicode-control-chars' detections. Have the author remove any hidden/control characters and verify the instructions don't attempt to override system prompts or inject arbitrary model directives. - Review runtime code: Because the package ships a large codebase, request a targeted review of runtime.ts, ui-server.ts, and core/storage/sqlite.ts to confirm there are no outgoing network calls, telemetry, or unexpected environment access (look for fetch/http, sockets, process.env usage, or hardcoded endpoints). Pay attention to any code that might read arbitrary files or transmit DB contents. - Explain package-lock contents: The lockfile contains many cloud SDKs (AWS, Anthropic, etc.) not declared in package.json. Ask why these appear (dev tooling, local testing) and request a minimal lockfile or confirmation they are not used in production runtime. - Sandbox first: If you still want to evaluate, run the plugin in an isolated sandbox (no network egress or sensitive credentials) and inspect what ports it binds and which files it creates before enabling it broadly. If the author provides a corrected SKILL.md and a short security note confirming no network exfiltration and why the lockfile contains extra SDKs, you can re-evaluate; until then treat the package as suspicious.
Findings: [system-prompt-override] unexpected: SKILL.md is expected to contain runtime instructions for the agent; presence of system-prompt-override patterns is suspicious because it could attempt to change the agent's system prompt or behavior. The SKILL.md appears to be package.json rather than neutral instructions, compounding the concern. [unicode-control-chars] unexpected: Unicode control characters can be used to hide payloads or manipulate tokenization/visible content. They are unexpected in a plain runtime instructions file and should be removed or explained.

Review Dimensions

Purpose & Capability: noteThe name, openclaw.plugin.json, and many source files (sqlite storage, ui-server, indexers, L0/L1/L2 logic) are coherent with a local memory plugin and a local dashboard UI. Requiring no env vars and providing dbPath/dataDir in config schema is proportionate.
Instruction Scope: concernThe SKILL.md content supplied in the registry is not human/runtime instructions but appears to contain the package.json content for the project (and the pre-scan flagged prompt-injection patterns). That is an incoherence: the runtime instructions the agent should follow are missing or replaced. The SKILL.md also contains patterns (system-prompt-override and unicode control characters) that can be used to manipulate an LLM's behavior; this is a high-risk finding because SKILL.md is the instructions surface the agent will follow at runtime.
Install Mechanism: okNo install spec is declared (instruction-only in the registry), which reduces install-time risk — nothing is downloaded or run by the registry installer. The package includes source/dist files but the registry does not present an automatic download/install URL.
Credentials: noteThe plugin declares no required environment variables or primary credential, which aligns with a local‑first memory plugin. However, the included package-lock.json (and some dev entries) show many cloud SDKs (AWS, Anthropic, etc.) present in the lockfile; those SDKs are not declared in package.json dependencies and are likely dev/transitive — they increase review surface and should be explained by the author.
Persistence & Privilege: okThe plugin is not marked always:true and is user-invocable; it binds a local dashboard host/port by default (127.0.0.1:39393) and persists to a sqlite DB path under configurable options, which is expected for a memory plugin. No evidence it requests elevated system privileges or modifies other skills' configs was found in the manifest.