Pluginv0.2.0

ClawScan security

Plur1bus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 5:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill implements the claimed DeepLake-backed shared memory features, but it performs high-risk actions (running a remote install script, creating and storing long-lived API tokens, mounting a FUSE filesystem that can overlay user data) and even contains a hard-coded token in the distributed files — these behaviors are coherent with the stated purpose but elevate risk and warrant careful review before installing.
Guidance: What to consider before installing: - The plugin will install and run the DeepLake CLI by fetching and executing a remote installer (curl | bash). Review the install script at https://deeplake.ai/install.sh before allowing it to run. - It will start an OAuth device flow and automatically create and persist long-lived API tokens in ~/.deeplake/credentials.json (default one-year duration). If you don't want tokens stored on disk or want shorter-lived credentials, do not install or edit the code to change token behavior. - Conversations can be auto-captured and uploaded to DeepLake and will be shared with any agent using the same mount. If you require privacy, disable autoCapture/autoRecall or do not use this plugin. - The plugin mounts a FUSE filesystem (~/deeplake by default); mounting over an existing directory can hide/overwrite user files — back up important data and choose a dedicated mountPath before use. - The distributed package contains a file (dist/.env) with a CLAWHUB_CLI_TOKEN embedded; treat that as a potential leaked secret: avoid using it and ask the publisher to remove/rotate such tokens. - Safer options: run this plugin in an isolated VM/container for initial evaluation, inspect the install script and the plugin's source yourself (or ask the author to remove hard-coded tokens and change long-lived token behavior), or prefer plugins with audited install procedures and no remote-install at runtime. If you want, I can: summarize the exact lines that create and store tokens, extract the install and mount commands for offline review, or suggest a minimal checklist to harden the plugin before deployment.
Findings: [curl_pipe_bash_install] expected: The code runs 'curl -fsSL https://deeplake.ai/install.sh | bash' via execSync to install the DeepLake CLI. Fetching/executing an installer from the service being integrated is functionally expected, but executing remote install scripts at runtime is high-risk and should be reviewed (validate the install script at the URL before trusting). [execSync_shell_commands] expected: The plugin uses execSync to run system commands (mount, grep). This is expected for a filesystem-mounting plugin that relies on CLI tooling, but it increases the attack surface (shell injection risk mitigated by shell-escaping in search, though other execs pass constructed paths/commands). [hardcoded_token_in_dist_env] unexpected: A CLAWHUB_CLI_TOKEN value is present in dist/.env in the package. Shipping a token in the distributed files is not necessary for the plugin's stated purpose and is a potential secret leakage or misuse risk; this should be removed or rotated and audited. [long_lived_token_creation] expected: The code programmatically creates long-lived API tokens (POST /users/me/tokens) and stores them in ~/.deeplake/credentials.json. Creating tokens is consistent with enabling background sync and mounts, but the use of year-long tokens persisted unencrypted on disk is a security consideration.

Review Dimensions

Purpose & Capability: okName/description (cloud-backed persistent memory via DeepLake) match the code: the plugin discovers/creates a DeepLake mount, installs the DeepLake CLI, runs mount commands, and provides auto-recall/auto-capture using file reads/writes and grep. The capabilities requested and implemented are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md and README accurately describe the runtime behavior (auto-recall before turns, auto-capture after turns, cloud sync). The plugin reads and writes files under ~/.deeplake and the mount, runs shell commands (mount, grep), and transmits credentials and API requests to api.deeplake.ai. This is expected for a cloud-backed memory plugin, but it does mean user conversations are uploaded to and persisted in the cloud and shared with other agents that use the same mount — a privacy decision users should be aware of.
Install Mechanism: concernThe plugin's install behavior (installCli) runs a remote installer via execSync('curl -fsSL https://deeplake.ai/install.sh | bash'). Executing a curl|bash install is high-risk even when pointed at an official domain because it fetches and executes remote code without review. The plugin also executes mount and other shell commands (execSync) to perform mounts. No registry install spec is declared, so installation relies on these runtime shell operations.
Credentials: concernThe registry metadata lists no required env vars/credentials, but the code initiates an OAuth device flow, creates long-lived API tokens via api.deeplake.ai, and writes them into ~/.deeplake/credentials.json (one-year duration). That behavior is consistent with enabling persistent cloud storage but is sensitive — long-lived tokens persisted on disk increase blast radius if the machine is compromised. Additionally, the package includes a dist/.env file with a CLAWHUB_CLI_TOKEN value embedded, which appears to be a hard-coded/packaged token (unnecessary and potentially dangerous).
Persistence & Privilege: concernThe plugin writes files to the user's home (~/.deeplake), creates mounts under the user's filesystem (~/deeplake by default), registers mounts.json entries, and runs commands that mount FUSE. While these actions are coherent with a memory/mounting plugin, they have persistent effects on the host (including risk of overlaying existing directories — the repo even notes that mounting over an existing directory may cause data loss). The skill is not marked 'always', but it does autonomously perform networked auth, token creation, and mount lifecycle operations.