Pluginv0.1.0

ClawScan security

Pluri1bus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 31, 2026, 10:41 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The plugin implements the stated DeepLake-backed shared memory features, but it auto-installs remote code, auto-authenticates and creates/stores credentials in the user home, and will automatically capture and upload user messages to a cloud mount with “zero config” — behaviors that have significant privacy and install-safety implications and are not made explicit in the skill metadata.
Guidance: What to consider before installing Pluri1bus: - Privacy: The plugin automatically saves user messages to a DeepLake cloud mount (auto-capture) and can surface those memories to agents (auto-recall). If your conversations contain secrets or regulated data, this plugin will persist them to a remote store unless you explicitly disable autoCapture/autoRecall. - Installer behavior: It will download and run https://deeplake.ai/install.sh (curl | bash) and run the DeepLake CLI (login/init/mount). Download-and-execute is high-risk even from official domains; review the install script first and prefer manual install in a sandboxed environment if you need to audit it. - Credentials: The plugin relies on and will create files under ~/.deeplake (credentials.json, mounts.json) and (per developer notes) the CLI may generate long-lived API tokens. Inspect ~/.deeplake after install and consider whether you want those tokens present on the host. - Controls: If you still want to try it, set plugin config autoCapture=false and/or autoRecall=false to prevent automatic uploading or automatic injection of memories. Manually review what is written under the mountPath and the contents of any created credentials file. - Alternatives and mitigations: Run installation in an isolated environment (container or VM), inspect the deeplake install script before running, or consider a memory plugin that uses local disk-only storage if you cannot accept cloud persistence of conversation data. - If you need help: ask the developer for an offline/manual install flow, explicit consent prompts, or documentation showing exactly what the install script does and how tokens/credentials are stored and revoked.

Review Dimensions

Purpose & Capability: okName/description (cloud-backed persistent memory via DeepLake) matches the code: the plugin locates/creates a DeepLake FUSE mount, reads/writes markdown files under the mount, performs grep-based search, and registers auto-recall/auto-capture hooks. The included files and openclaw.plugin.json align with the declared purpose.
Instruction Scope: concernRuntime behavior goes beyond passive helpers: the plugin registers lifecycle hooks that (a) auto-recall relevant files before each agent turn and (b) auto-capture and append user messages after each agent turn. Auto-capture persists user content into memory/<date>.md on a cloud-backed mount. SKILL.md advertises "zero config" and that the plugin "handles everything"; the code indeed auto-installs/authenticates and mounts DeepLake — this silently grants the plugin the ability to persist user conversation data to a remote service without an explicit consent/config step in the metadata.
Install Mechanism: concernThe implementation runs execSync('curl -fsSL https://deeplake.ai/install.sh | bash') when the CLI is missing — i.e., download-and-execute a remote install script at runtime. While the URL is the official deeplake.ai domain, curl|bash is a high-risk install pattern because it executes remote code on the host. The plugin also runs the CLI (node cli.js) and uses execSync for login/mount/init, which can run arbitrary CLI actions and create files under ~/.deeplake.
Credentials: concernNo environment variables or credentials are declared in metadata, yet the plugin reads/writes to ~/.deeplake (mounts.json, credentials.json), and will run deeplake login which stores credentials (progress notes indicate the CLI can create long-lived API tokens). That implicit credential creation/storage (credentials.json + long-lived tokens) is disproportionate relative to the metadata's "zero config" claim and has privacy/security implications because conversation data is persisted to a cloud mount.
Persistence & Privilege: notealways:false (normal). The plugin persists data to the user's home (~/.deeplake) and to a cloud-backed FUSE mount; it installs a CLI and may create long-lived tokens stored locally. Autonomous invocation is permitted (platform default) and the plugin registers agent lifecycle hooks, increasing the blast radius because data capture is automatic unless the user disables autoCapture in plugin config. The code does not attempt to modify other plugins or system-wide settings beyond writing to ~/.deeplake and the mount.