Skillv1.0.0

ClawScan security

Memory ChromaDB · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 4:16 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, configuration schema, and runtime instructions match its stated purpose (ChromaDB + Ollama embeddings with auto-recall); nothing requested or installed is disproportionate, but users should confirm endpoints and memory contents before enabling auto-recall.
Guidance: This skill appears to do what it says: it calls the configured ChromaDB and Ollama endpoints to fetch embeddings and memories and can auto-inject them into conversations. Before installing: 1) Confirm the chromaUrl and ollamaUrl point to services you control or trust (defaults are localhost). If you set them to remote hosts, your conversation text and embeddings will be sent there. 2) Review the ChromaDB collection contents for any sensitive data; auto-recall will expose stored memories to the model. 3) If you want tighter control, disable autoRecall or lower autoRecallResults/minScore to reduce what is injected. 4) Note the package source/homepage is unknown — consider trusting only plugins from known authors or reviewing the full index.ts (provided) before enabling. If you need higher assurance, run the plugin in an isolated environment with local ChromaDB/Ollama instances.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, openclaw.plugin.json, and index.ts are consistent: the plugin integrates ChromaDB and Ollama embeddings, exposes a manual search tool, resolves collection by name/ID, and supports auto-recall. There are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope: okSKILL.md and the code limit actions to embedding requests to the configured Ollama endpoint and queries to the configured ChromaDB API; the auto-recall behavior (injecting retrieved memories before turns) is explicit in the instructions and code. The plugin does not attempt to read local files or other system credentials in the provided code.
Install Mechanism: okNo install specification is provided (instruction-only with an included index.ts). Nothing in the manifest downloads or executes remote archives. The included source is plain TypeScript and uses fetch to contact configured services.
Credentials: noteThe skill requests no environment variables or credentials. It does rely on user-provided URLs (chromaUrl, ollamaUrl). If those URLs are set to remote or untrusted hosts, conversation content and embeddings would be sent there — so endpoint choice is the primary risk, not hidden credential requests.
Persistence & Privilege: notealways:false (no forced global inclusion). disable-model-invocation is false (normal), and the plugin's auto-recall feature will cause it to run and inject memory content before turns when enabled — expected behavior but relevant to privacy because it expands what context is sent to the model.