Pluginv1.8.0

ClawScan security

TaskTrace MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 29, 2026, 2:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The bundle appears to do what it says (register a local TaskTrace MCP server) and requests no credentials, but there are packaging/instruction inconsistencies and clear privacy implications (exposing screenshots/activity) that you should review before installing.
Guidance: This package is mostly coherent with its stated purpose (registering a local TaskTrace MCP server), but review these before installing: 1) Confirm you actually have /Applications/TaskTrace.app at that path — the plugin only points local clients at that binary. 2) Understand privacy impact: the manifests advertise access to activity history and screenshots; installing lets local agents query that data. 3) The README and package.json mention npm scripts and install helper scripts that are not present in the published file list — do not run npm install/npm run without inspecting the scripts first. 4) Inspect the package contents you will install (especially any scripts under scripts/ or files that would be executed) and verify the publisher (tasktrace.com) and repository. 5) If you need to limit exposure, avoid enabling broad tool profiles or restrict which agents can invoke MCP plugins. If you want more certainty, request the missing script files / a complete release artifact from the author or install in a sandboxed environment first.

Review Dimensions

Purpose & Capability: okName, description, and manifests consistently describe a local MCP integration that launches the TaskTrace desktop binary at /Applications/TaskTrace.app/Contents/MacOS/TaskTrace --mcp-stdio. The files present (.mcp.json and plugin manifests) match the stated purpose and there are no unrelated credentials or binaries requested.
Instruction Scope: noteThe SKILL.md instructs standard plugin install steps for OpenClaw/Claude/Codex and explicitly modifies local plugin caches and marketplace entries under the user's home (~/.agents, ~/.codex, etc.) and restarts local gateways. Those actions are expected for installing a local plugin, but they do touch local config and cache files. The package also states it exposes 'work history, activity feeds, and screenshots' — a privacy-sensitive data surface that is coherent with the plugin's purpose but important to understand. Additionally, the README and npm scripts reference install/build scripts that are not present in the published file list (see install script names in package.json). That mismatch could break the documented install steps or indicate an incomplete package.
Install Mechanism: noteThis is an instruction-only skill with no install spec, so it does not pull arbitrary code at agent runtime. That is low-risk. However, the package.json contains npm scripts that would run Node scripts (e.g., install:codex-local) and reference shell helpers; those script files are not included in the provided file manifest. Running npm install/npm run (if you follow the README) would fetch dependencies and execute scripts on your machine — so inspect the package contents before running npm scripts. No external downloads or strange URLs are present in the reviewed files.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths beyond manipulating its own plugin/cache locations. That is proportionate to the stated goal. Note: functionality will rely on the local TaskTrace app being installed at the hardcoded macOS path; also the plugin is explicitly designed to expose local activity and screenshots to the client agent, which is a sensitive capability even though no secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent platform privileges. It will register itself as a client plugin, and the README suggests enabling OpenClaw's 'tools.profile' = 'full' which increases agent capabilities — this combined with access to screenshots/work-history is a privacy consideration. Autonomous agent invocation is allowed (default) — not unusual, but note the potential blast radius if you permit agents to call MCP servers that expose local screenshots.