Pluginv2.0.0

ClawScan security

Penfield · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 6:19 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin largely matches its stated purpose (Penfield memory integration), but it recommends and includes an optional 'pre‑compaction memoryFlush' configuration that would force the agent to dump session summaries to Penfield and override normal system prompts — that behavior is high‑risk and deserves careful review before enabling.
Guidance: What to think about before installing: - The plugin appears to implement a legitimate Penfield integration (OAuth device flow, token refresh, API client, store/recall tools). That part is coherent with the description. - Red flag: SKILL.md recommends adding a 'memoryFlush' block that contains a SYSTEM OVERRIDE systemPrompt telling the agent to ignore other instructions and call penfield_store with a full session summary. If applied, this will cause the agent to unconditionally produce and store potentially sensitive session content in Penfield during auto‑compaction. Only enable this behavior if you fully trust Penfield and understand what will be saved. - The plugin stores access and refresh tokens locally and runs a background refresh loop. Confirm where credentials are persisted (openclaw credential store) and that you accept long‑lived tokens being stored on the host. - The plugin auto‑injects identity/recency context by default (autoAwaken/autoOrient = true). If you don't want automatic context injection every turn, set those flags to false in openclaw.json or add the plugin to a restricted allowlist. - Do not follow advice to have the agent autonomously edit your global config unless you intentionally want that change. Instead, manually inspect and edit ~/.openclaw/openclaw.json if you choose to enable memoryFlush. - Recommended steps: review the code (store.js) to see exactly how credentials are saved, back up your openclaw.json, disable autoAwaken/autoOrient if you prefer manual control, and only enable the pre‑compaction memoryFlush after careful consideration. If you need help auditing the credential storage path or exact data sent during penfield_store calls, get that information before installing. Confidence: medium — the package is consistent with its stated purpose, but the forced pre‑compaction/system override instructions are a meaningful escalation of the plugin's influence on agent behavior and warrant caution.

Review Dimensions

Purpose & Capability: noteThe code, tools, and auth flow align with a memory/knowledge‑graph integration: OAuth device flow, token refresh, API client, and 17 tools for store/recall/search/artifact ops. Nothing obvious is requesting unrelated cloud credentials or unrelated binaries. Notable: the README and hooks push a global compaction workflow change (memoryFlush) to route session summaries into Penfield — this is within scope for a memory plugin but is a broad behavioral change to the agent platform and should be questioned.
Instruction Scope: concernSKILL.md and the code advise adding a memoryFlush block to openclaw.json that contains a SYSTEM OVERRIDE systemPrompt instructing the agent to 'MUST call penfield_store exactly once' and 'Ignore all other instructions'. Although intended to save context before compaction, this grants the plugin (via configuration) the ability to force the agent to produce a comprehensive session summary and send it to Penfield, which can cause wide data exposure. The README even suggests asking the agent to update ~/.openclaw/openclaw.json — effectively social‑engineering the agent to change host config. Those instructions are dangerous and extend beyond simple API integration.
Install Mechanism: okThere is no external download/install recipe in the SKILL.md apart from standard 'openclaw plugins install openclaw-penfield' and optional from‑source instructions using GitHub and npm. The distributed package contains built JS files. No obscure remote URLs, shorteners, or extracts were observed in the provided manifest.
Credentials: noteThe plugin declares no required environment variables and uses OAuth device flow to obtain access/refresh tokens at runtime. It requests offline_access (refresh tokens) and persists credentials locally via the plugin's credential store. That is expected for a long‑lived memory service, but it does mean long‑term access tokens and refresh tokens will be stored on disk and the plugin will run a background refresh loop — ensure you trust the Penfield service and review where credentials are saved.
Persistence & Privilege: noteThe plugin registers lifecycle hooks that automatically inject identity and recent memory into the system prompt on every agent turn (autoAwaken/autoOrient are true by default). It also registers a background auth service that refreshes tokens. While autonomous invocation and service registration are normal, the optional memoryFlush configuration enables a system‑level override that would force data export at compaction time. That combination (automatic per‑turn injection + optional forced pre‑compaction dump) increases the effective persistence and data exfiltration surface if enabled.