Back to plugin
Pluginv0.1.10
ClawScan security
QMD Recall · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 9:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin's code, hooks, and configuration are coherent with its stated purpose (querying a QMD HTTP endpoint and injecting relevant snippets into the prompt); nothing in the bundle requests unrelated credentials or performs unexpected system actions, but you should review the configured qmdUrl and plugin settings because the plugin will send user text to that endpoint and may inject private snippets into prompts.
- Guidance
- This plugin appears to do exactly what it says: query a configured QMD HTTP endpoint and prepend relevant memory snippets to prompts. Before enabling it: (1) ensure qmdUrl points to a trusted, internal QMD service (avoid pointing it at unknown external URLs), (2) keep logSnippets false unless you understand the logging implications, (3) restrict agents and allowedChatTypes in the plugin config if you only want it to run in limited contexts, and (4) review minScore/maxResults/maxInjectedChars to limit how much private content can be injected. The bundled doctor script uses QMD_RECALL_URL for testing — that's optional. If you want stronger assurance, inspect runtime network policies to ensure the plugin can only reach the intended QMD host.
Review Dimensions
- Purpose & Capability
- okName/description match implementation: the plugin listens on before_prompt_build, builds a query from the user prompt/messages, POSTs to a configurable QMD HTTP endpoint, parses hits, filters/format them, and may prepend a 'Relevant memory' block to the prompt. It does not request unrelated credentials, binaries, or system access.
- Instruction Scope
- okRuntime behavior stays within the stated scope: reads the prompt/messages/context, constructs a query, calls the configured qmdUrl via fetch, parses JSON, and injects formatted snippets into the prompt. It does not execute shell commands or read arbitrary files. Note: it will send user text to the configured HTTP endpoint and may inject private snippets into the agent's hidden prompt context.
- Install Mechanism
- okNo install spec; the package includes only JS code and metadata (dist/*.js, openclaw.plugin.json, package.json). Nothing is downloaded from external URLs or written during installation by the plugin spec itself.
- Credentials
- noteThe skill declares no required env vars or credentials. A bundled doctor script optionally respects QMD_RECALL_URL and other QMD_RECALL_* env vars for testing, but these are not required. The operator must supply a qmdUrl via plugin config; misconfiguring that URL (pointing it to an external/third-party endpoint) would expose user prompts/snippets to that endpoint — this is expected for a retrieval plugin but is a privacy/exfiltration risk if configured incorrectly.
- Persistence & Privilege
- okThe skill is not force-included (always: false). It registers a before_prompt_build hook and the plugin metadata indicates onStartup activation, which is consistent with a retrieval plugin that should run for prompts. It does not modify other plugins or system-wide configs and does not request elevated privileges.