Back to plugin

Security audit

TotalReclaw (canary — scanner validation)

Security checks across malware telemetry and agentic risk

Overview

This canary memory skill mostly matches its stated purpose, but it needs review because it appears to ship an embedded API secret and includes tools that can modify persistent memories without a separate confirmation step.

Review before installing, especially because this is labeled as a canary build. Do not use an existing crypto wallet recovery phrase. Confirm that the publisher has removed or explained the reported hardcoded API key, and use the memory-deletion or consolidation tools only after previewing exactly what will change.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
llm-client.ts:212
Evidence
apiKey = [REDACTED];

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:698
Evidence
**System Prompt:**