Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw SillyTavern Plugin
v0.1.0SillyTavern-compatible roleplay plugin with character cards, long memory, multimodal output (TTS/image), and Generative-Agents-style companion.
⭐ 0· 133·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Functionality in source (imports, session manager, TTS/image, long memory, companion) matches the stated purpose. However there are metadata mismatches: the top-level registry claimed no required env/install, while SKILL.md frontmatter declares an install step (npm install) and requires OPENCLAW_RP_LOCALE. The package is not instruction-only (many source files exist) despite an earlier note saying 'No install spec'. These inconsistencies should be reconciled.
Instruction Scope
Runtime instructions and code read and write OpenClaw config and user-facing files (e.g., ~/.openclaw/provider.json, SOUL.md) and register hooks (message_received, before_prompt_build, llm_output). The plugin exposes a `/rp sync-agent-persona` that writes the current RP character into the agent SOUL.md (system persona), and `/rp restore-agent-persona` to revert. The companion feature can be scheduled to proactively message users via hooks. These are powerful operations (modifying agent system prompts and initiating messages) and expand scope beyond simple import/response behavior; they are legitimate for this plugin's goals but sensitive and worth explicit operator approval.
Install Mechanism
SKILL.md requests running `npm install` after clone (normal for Node.js plugins). package.json uses peerDependencies (optional better-sqlite3, js-tiktoken) so npm install will not pull unexpected third-party runtime dependencies beyond those declared. No remote arbitrary binary downloads or obscure extract-from-URL steps were found. That said, the registry metadata initially claiming 'no install spec' conflicts with SKILL.md's install entry.
Credentials
The plugin legitimately uses environment variables for provider resolution (OPENCLAW_RP_LOCALE, OPENAI_*, GEMINI_*, TELEGRAM_BOT_TOKEN in examples). The registry initially listed no env requirements but SKILL.md notes OPENCLAW_RP_LOCALE; other provider envs are optional. Access to provider credentials (OPENAI_*/GEMINI_*) is reasonable for image/embedding/tts providers but is sensitive—operators should avoid supplying unrelated high-privilege credentials to the plugin. The plugin can read user config files under ~/.openclaw, which is expected but gives it visibility into gateway config.
Persistence & Privilege
The plugin persists session data and embeddings (SQLite or in-memory), can modify plugin configuration entries and write into agent-managed files (SOUL.md), and registers hooks that enable proactive, scheduled outbound messages (companion_tick). While these behaviors are part of its feature set, they grant the plugin persistent presence and the ability to modify agent/system prompts and initiate messages — a meaningful privilege that should be explicitly authorized and monitored.
Scan Findings in Context
[system-prompt-override] expected: The pre-scan found 'system-prompt-override' patterns. The plugin exposes `/rp sync-agent-persona` which writes RP characters into SOUL.md (agent persona/system prompt); this behavior is consistent with the feature but is sensitive because it can change agent system prompts. Treat as expected-for-purpose but review and restrict who can trigger it.
What to consider before installing
This plugin implements the described RP features and includes real source code (not just an instruction-only skill), but exercise caution before installing.
- Reconcile metadata: SKILL.md requests an `npm install` step and lists OPENCLAW_RP_LOCALE, while the registry summary omitted these—treat the SKILL.md as authoritative.
- Sensitive actions: the plugin can read ~/.openclaw configs, persist session/memory data (SQLite), modify plugin config, and write the agent's SOUL.md (system persona). Those are valid features but allow persistent modification of agent prompts and autonomous proactive messages—only grant these capabilities deliberately.
- Credentials: don’t expose unrelated high-privilege credentials. If you supply OPENAI_*/GEMINI_* keys, prefer least-privileged gateway accounts and isolate usage.
- Deployment advice: review the repository yourself (or have a trusted admin do so), run npm install and the smoke tests in a sandboxed environment, back up SOUL.md and OpenClaw config before enabling persona sync, and disable/require approval for the companion_tick scheduler or any automatic proactive features until you’ve verified behavior.
- If unsure: install in a non-production gateway, or request the publisher to clarify the metadata mismatches and provide an explicit security note about SOUL.md writes and scheduled companion behavior.src/core/commandRouter.js:13
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97bwrjteyq7yam65g7jvhvrfh836q3f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.