Pluginv0.1.0-Alpha.34

ClawScan security

Cortex Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 12:21 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The plugin mostly matches its stated purpose (a local long‑term memory plugin) but contains a system‑prompt override in SKILL.md and mismatches between declared requirements and what the code/config expects — review carefully before installing or trusting it with secrets.
Guidance: This package implements a local long‑term memory system and the code mostly aligns with that purpose, but proceed with caution: 1) Do not blindly paste the SKILL.md 'system prompt' into your agent system prompt — it contains mandatory rules that act like a prompt injection and can alter agent behavior. Review and adapt any suggested system prompt instead of importing it verbatim. 2) The registry metadata lists no required env vars, but the plugin expects embedding and LLM API keys and reads/writes OpenClaw config/data files — provide only minimal, scoped credentials and verify where endpoints point before enabling. 3) Audit the included code (dist/*.js and scripts/cli.js). Note scripts/cli.js can create/modify openclaw.json; review the exact changes before running and back up your config. 4) Install from a trusted source (official clawhub or a vetted npm package), run initially in an isolated environment, and restrict network access if possible until you confirm behavior. 5) If you are uncomfortable with autonomous invocation combined with the system‑prompt instructions, disable autonomous invocation or avoid applying the provided system prompt. If you want, I can list the exact files and code locations that read config, use API keys, or modify openclaw.json so you can review them.
Findings: [system-prompt-override] unexpected: SKILL.md includes an explicit 'Agent usage manual (system prompt)' with mandatory rules and 'do not delete' wording. While a memory plugin may provide suggested prompts, instructing operators to paste mandatory rules into the agent's system prompt is a prompt‑injection pattern and is not strictly necessary to provide memory storage functionality.

Review Dimensions

Purpose & Capability: concernThe code and README implement a local Cortex memory system (embedding calls, vector store, graph store, sync tools) which matches the name/description. However the skill metadata declares no required environment variables or config paths while both SKILL.md examples and the code expect API keys (EMBEDDING_API_KEY, LLM_API_KEY) and rely on OpenClaw config files (openclaw.json / OPENCLAW_CONFIG_PATH). That mismatch between declared requirements and actual runtime needs is a red flag: the plugin will need network API keys and access to the OpenClaw config/data directories even though the registry metadata lists none.
Instruction Scope: concernSKILL.md contains an explicit 'Agent usage manual (system prompt)' block instructing operators to paste a mandatory system prompt into the agent and includes hard 'must follow' rules. This behaves like a system‑prompt override / prompt injection attempt (the pre-scan flagged 'system-prompt-override'). While providing a recommended system prompt is reasonable for a memory plugin, the insistence that these rules be put into the agent system prompt and marked 'do not delete' expands the plugin's scope from a storage/retrieval tool into altering agent behavior — this should be treated cautiously.
Install Mechanism: noteNo install spec in registry (instruction-only), but packaging and usage instructions rely on clawhub or npm pack. That is fairly typical; sources are included in the package (many dist/*.js files). There are no obvious downloads from untrusted URLs in the provided content. Installing via the official OpenClaw plugin mechanism or a vetted npm package is recommended; avoid ad-hoc URL downloads.
Credentials: concernRegistry lists no required env vars, but SKILL.md sample config uses placeholders for EMBEDDING_API_KEY and LLM_API_KEY, and code accesses OPENCLAW_CONFIG_PATH / OPENCLAW_STATE_DIR / OPENCLAW_BASE_PATH. The plugin also contains a SENSITIVE_KEYS list and will send data to configurable embedding/LLM endpoints using provided apiKey values. The absence of declared required credentials in metadata is inconsistent — the plugin will need API keys to perform embedding/LLM operations and will access local config/data directories.
Persistence & Privilege: notealways:false (good). The plugin is capable of writing to openclaw.json (scripts/cli.js) and creating/reading memory files under the OpenClaw workspace; these behaviors align with a memory plugin but mean it has filesystem persistence and can modify OpenClaw config when user runs its CLI. Also the skill is allowed to be invoked autonomously (disable-model-invocation:false) — combined with the SKILL.md system-prompt instructions, that increases potential impact if the system prompt is applied.