Pluginv3.1.0-canary.0

ClawScan security

TotalReclaw (canary — scanner validation) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 11:49 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill broadly matches a memory plugin's purpose, but there are internal inconsistencies (manifest vs runtime docs) and a detected prompt‑injection pattern that warrant manual review before installing.
Guidance: What to consider before installing: - Do not install this in production unless you audited it; the package itself warns 'Do not install in production.' - There is a clear mismatch: the registry metadata lists no required env vars but the README/SKILL.md require TOTALRECLAW_RECOVERY_PHRASE (a 12-word BIP-39 mnemonic). Treat the recovery phrase as highly sensitive and expect the plugin to derive keys locally and use them to authenticate to the service. Ask the publisher to update the manifest to declare required env vars. - Review the bundled source files (api-client.ts, fs-helpers.ts, index.ts, setup.sh) yourself or have a security-savvy person review them: confirm the recovery phrase is only used locally to derive keys, that the plugin sends only encrypted blobs, and that no plaintext secrets or other environment variables are transmitted to remote endpoints. - Verify where credentials.json is written/read (default ~/.totalreclaw/credentials.json) and whether file permissions are correctly set (SKILL.md/CHANGELOG mention mode 0600). Consider running the plugin in a sandbox or disposable agent with a throwaway recovery phrase first. - Prompt-injection detector flagged SKILL.md content; this may be a false positive (the file contains many instructive lines) but you should confirm the SKILL.md does not include instructions intended to override system prompts or to exfiltrate environment data. - If you self-host, set TOTALRECLAW_SERVER_URL to your own relay and inspect traffic. For remote service use, confirm TLS endpoints and that authorization tokens are derived from the recovery phrase rather than reading arbitrary process.env secrets. - If you have an existing crypto wallet, heed the plugin's warning: do NOT use an existing wallet's recovery phrase. Use a separate phrase for TotalReclaw. If you want me to help further, I can: (1) scan the included source files for network calls and file reads/writes to produce a concise list of I/O points, (2) extract exact places where environment variables or process.env are referenced, and (3) summarize how the auth key is derived from the recovery phrase so you can verify no plaintext is sent.
Findings: [system-prompt-override] unexpected: Pre-scan detected a pattern labelled 'system-prompt-override' inside SKILL.md. The SKILL.md is an agent-facing document and contains many imperative instructions; this detector may be triggered by legit onboarding text, but it could also indicate content intended to influence LLM/system prompts during automated evaluation. Manual inspection recommended.

Review Dimensions

Purpose & Capability: concernThe SKILL.md / README clearly require a recovery phrase (TOTALRECLAW_RECOVERY_PHRASE) and describe server interactions, file I/O (credentials.json, cache paths), and lifecycle hooks — all coherent for an encrypted memory plugin. However the published registry metadata declares no required env vars and the frontmatter lists requires.env: [] which contradicts runtime instructions that say a recovery phrase is required. That mismatch between declared requirements and actual runtime expectations is disproportionate and confusing for users and scanners.
Instruction Scope: concernSKILL.md instructs the agent and user to set a 12-word recovery phrase, to run setup, and describes lifecycle hooks and tools that will read/write credentials and contact a remote API. Those instructions are in-scope for a memory plugin. However: (1) a prompt-injection detection ('system-prompt-override') was found in SKILL.md content (pre-scan), which could either be a false positive or an attempt to influence LLM behavior during automated review; (2) the SKILL.md also contains explicit onboarding guidance that generates and persistently writes a recovery phrase to disk, which is a sensitive operation and should be clearly declared in metadata.
Install Mechanism: okNo install spec (no arbitrary download/install step) lowers disk-execution risk from the registry side. The package contains many source files bundled with the skill (API client, fs helpers, tests), so the code will run when the skill is invoked — but there is no external URL-based installer or extract step listed that would raise high-risk concerns.
Credentials: concernThe runtime clearly relies on a sensitive secret (12-word TOTALRECLAW_RECOVERY_PHRASE) and reads/writes credentials.json and an encrypted cache. Declared requirements in registry metadata are empty, creating a mismatch: the skill asks users to provide a recovery phrase (and optional server URL) but the manifest does not advertise required env vars. Asking for a recovery phrase is proportionate to an E2EE memory plugin, but the omission from metadata and the presence of file I/O (home dir credentials, cache) should be explicitly declared so users understand the sensitivity.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It integrates with agent lifecycle hooks (before_agent_start, agent_end, pre_compaction) which is expected. The package writes a credentials file under ~/.totalreclaw and auto-bootstraps a BIP-39 mnemonic on first-run — this is normal for its purpose but is a persistent, sensitive client-side artifact and should be reviewed by the user.