ClawHub

ClawdTalk Persona Plugin

v1.0.4

Manage persistent caller memory by retrieving caller info at call start and logging detailed call summaries to update identity, personality, and memories aut...

0· 106·0 current·0 all-time
by@noahvandal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implemented functionality. The plugin requires an API key and server URL in its config (openclaw.plugin.json) which is appropriate for a remote Persona service. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md keeps instructions narrowly scoped: call persona_get_caller before calls, persona_log_call and persona_update_docs after calls. The instructions do not ask the agent to read local files, environment variables, or other system state outside the declared plugin config.
Install Mechanism
No installation spec or external downloads are present (instruction-only style with TypeScript source). The code is not obfuscated and uses a fetch-based HTTP client to the configured server. Nothing is being pulled from arbitrary URLs at install time.
Credentials
No environment variables are required, but the plugin requires an apiKey in its config (declared in openclaw.plugin.json). That apiKey is the expected and proportionate credential. Note: the server URL is configurable (default http://localhost:3002) — if changed to an external host, the API key and call summaries/transcripts will be sent there, which is expected behavior but worth reviewing for privacy.
Persistence & Privilege
always is false and the plugin does not request elevated platform privileges or attempt to modify other skills. It registers tools and a health-check service, which is normal for a plugin.
Assessment
This plugin appears to do what it says: it sends caller metadata, call summaries, and (if you provide a call_id) lets the Persona backend fetch the full transcript. Before installing: 1) Verify the Persona server URL you configure is trusted (default is localhost; changing it to a public endpoint means data will be sent there). 2) Only provide an apiKey with the minimum required scope and store it in the secure plugin config UI. 3) Understand that persona_log_call and persona_update_docs will persist PII and create versioned records (old versions are never deleted) — confirm this retention policy complies with your privacy rules. 4) If you want to limit exposure, avoid passing call_id or full transcripts unless necessary. If you need more assurance, ask the publisher for their privacy/hosting details or run the plugin against a staging Persona server first.

Like a lobster shell, security has layers — review code before you run it.

latestvk978k227ksrp7b2yx3bvn2h0y183an2s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments