Pluginv5.0.6

ClawScan security

Virtual Context · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 2, 2026, 1:58 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code and instructions match its stated purpose (routing conversation history to a VC cloud service, returning compressed context, and registering retrieval tools), but it intentionally transmits full conversations and can override system prompts and dynamically register tools from the remote service — these are powerful, privacy-sensitive behaviors you should knowingly accept before installing.
Guidance: This plugin is internally coherent and does what it says, but it intentionally sends full conversation history and can override system prompts and register remote tools. Before installing: 1) Verify you trust virtual-context.com and its data handling/privacy policies; 2) Keep vcKey scoped/rotated and stored securely (openclaw.json contains the key); 3) Do not enable debug in production (it logs message previews); 4) Use the providers config to restrict which models the plugin may act on; 5) Audit the remote tool definitions fetched at bootstrap (or run the plugin in an isolated environment first) — remote tool registration can introduce unexpected behaviors; 6) Consider compliance/privacy implications of sending transcripts to a third party. If you want a firmer assessment, provide the remote /api/v1/tools/definitions response or vendor documentation showing what data the cloud stores and for how long.
Findings: [system-prompt-override] expected: The SKILL.md and code explicitly document that the cloud can return a system prompt override; the prompt-injection pattern detected is therefore an expected behavior of this plugin but is security-relevant because it allows remote modification of the agent's system prompt.

Review Dimensions

Purpose & Capability: okThe name/description match the implementation: the plugin sends conversation payloads to a configured Virtual Context API, returns compressed/enriched payloads, registers remote tools, and ingests assistant replies. There are no unrelated credentials or binaries requested.
Instruction Scope: concernThe runtime instructions explicitly send full message histories to a third-party endpoint, replace messages in-place, and can override the system prompt if the cloud returns one. While this is within the declared purpose (context compression/management), it grants the remote service the ability to change agent behavior and receive all conversation content — a high-risk scope that requires trust in the vendor and careful configuration (e.g., do not enable debug in production).
Install Mechanism: okNo install script or external downloads; code is included in the skill bundle and runs as an OpenClaw lifecycle plugin. There are no package downloads from arbitrary URLs or extract steps.
Credentials: noteThe plugin requires a vcKey (configured in openclaw.json) to call the VC API — that single credential is proportional to the stated cloud integration. However, the plugin transmits potentially sensitive data (full conversations, assistant replies, and possibly system prompts) to the remote service, so the sensitivity of what is sent is high even though the number of credentials requested is small.
Persistence & Privilege: concernNot always-enabled and not requesting elevated platform privileges, but the plugin dynamically fetches tool definitions from the cloud and registers them at runtime. That means remote-controlled tool definitions can expand agent capabilities unexpectedly. Combined with the ability to override system prompts, this increases the attack surface and the need to trust the remote service.