Back to skill

Security audit

Plugin

Security checks across malware telemetry and agentic risk

Overview

TotalReclaw appears purpose-built for encrypted agent memory, but it has broad background access to local OpenClaw conversations and provider credentials that users should review before installing.

Install only if you are comfortable with a persistent background memory plugin that reads local OpenClaw conversation logs, uses configured LLM/API-provider credentials for extraction, stores encrypted memories via TotalReclaw/on-chain infrastructure, and can patch/restart your OpenClaw gateway. Review extraction settings, use a dedicated recovery phrase, and verify credential-file permissions before enabling it.

SkillSpector

By NVIDIA

SkillSpector could not complete.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist-esm-smoke.test.ts:94

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
postinstall-validate.test.ts:138

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
import-upgrade-cli.test.ts:178

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
llm/llm-client.test.ts:159

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
llm/llm-profile-reader.test.ts:276

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
setup/qa-bug-report.test.ts:78

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
pairing/pair-e2e-leak-audit.test.ts:196