Pluginv0.2.4

ClawScan security

Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 25, 2026, 5:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code largely matches a 'memory' plugin (local DB access, LLM calls, license/update checks), but there are a few mismatches and risky patterns (undocumented env usage, shell execs) that warrant caution before installing.
Guidance: What to consider before installing: - The plugin appears to be a legitimate memory-stack extension: it reads/writes ~/.openclaw data, indexes with sqlite3, calls embeddings/LLM endpoints, and performs license and update checks against https://openclaw-api.apptah.com. That behavior aligns with its stated purpose. - Caveats and risks: - The plugin's code invokes shell commands via child_process.execSync (sqlite3 and command probes). Shell execution increases risk if untrusted input reaches those commands; while the implementation does some escaping, this pattern broadens the attack surface. - The code will probe and call local LLM services (localhost:8080 and :11434) and remote LLM endpoints; it also reads OPENCLAW_LLM_API_KEY / OPENAI_API_KEY from the environment even though the skill metadata declares no required env vars. If you store sensitive credentials in environment variables, be aware the plugin will attempt to use them. - It phones home for license verification and update checks, sending the license key/device_id and current version. If you don't want that data sent, do not use the plugin or remove the local license file. - Practical recommendations: - If you plan to install, review the full source (dist/index.mjs) yourself or run it in an isolated environment (sandbox, VM, or container) first. - Confirm the vendor domain (openclaw-api.apptah.com) is expected/trustworthy for your use case. - Avoid running this plugin on hosts that store other sensitive credentials in environment variables you don't want referenced. - If possible, request the upstream/source repository or a signed release to increase confidence. Overall: the plugin is coherent with its stated purpose but contains executable patterns (shell use, network calls) and an undeclared env-var usage that justify extra caution.

Review Dimensions

Purpose & Capability: okThe package is declared as a memory plugin and the code operates on ~/.openclaw/* (sqlite DBs, MEMORY.md, graph files), manages embeddings/LLM calls, and provides memory indexing — behavior consistent with a memory-stack plugin.
Instruction Scope: noteSKILL.md content is essentially the package manifest; runtime code (dist/index.mjs) will read/write files in the user's home (~/.openclaw), run local sqlite3 commands, probe local LLM services (http://localhost:8080 and :11434), and call remote endpoints for LLM/chat/embeddings. The manifest does not explicitly document these network or shell actions, and the code reads OPENCLAW_LLM_API_KEY / OPENAI_API_KEY from env (not declared in the registry metadata). These behaviors are plausible for a memory plugin, but the lack of explicit documentation in SKILL.md and the broad file/command access are worth noting.
Install Mechanism: okNo install spec is provided (instruction-only), and included files are packaged; nothing is downloaded from arbitrary URLs during install. The plugin ships compiled code (dist/index.mjs) that will be loaded at runtime — standard for an extension.
Credentials: noteThe registry declares no required env vars, but the code reads OPENCLAW_LLM_API_KEY and OPENAI_API_KEY if present to call LLM endpoints — this is reasonable for LLM usage but is an undeclared ambient credential access. No unrelated cloud credentials are requested. License/update network calls use a locally read license.key (from files under ~/.openclaw) and will POST that key to the vendor API; this is proportionate to the claimed license/update behavior but should be expected by the user.
Persistence & Privilege: okThe plugin writes and updates files under its own home paths (~/.openclaw/memory-stack and related). always is false and it does not request system-wide configuration changes or other skills' credentials. Runtime autonomous invocation is allowed (default) which is normal for skills.