Skillv3.3.0-rc.6

ClawScan security

Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 8:06 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement an end-to-end encrypted memory system and includes substantial source code, but there are several mismatches and prompt-injection indicators (notably SKILL.md claims no env vars while README/docs reference a sensitive recovery phrase env var, and automated scans found prompt-injection patterns), so review and caution are advised before installing.
Guidance: What to consider before installing: - Metadata mismatch: The registry declares no required env vars but the README/SKILL.md document a sensitive recovery phrase (TOTALRECLAW_RECOVERY_PHRASE) and server URL. Expect to provide/store a mnemonic and to allow the plugin to write to ~/.totalreclaw; this is normal for this kind of plugin but the registry should have declared it. Treat the absence of declared envs as a transparency issue. - Do NOT reuse an existing crypto wallet recovery phrase: the docs explicitly warn never to use a phrase tied to funds. If you install, generate a new dedicated phrase and store it offline—do not reuse any financial wallet seed. - Prompt-injection indicators: automated scanning found 'system-prompt-override' and 'base64-block' patterns in SKILL.md. Manually inspect the SKILL.md sections containing these patterns (or ask the publisher) before granting the plugin autonomous invocation — they may be benign but could also attempt to manipulate agent/system prompts. - Network endpoints & data flow: the included source makes authenticated requests to api.totalreclaw.xyz and writes encrypted blobs to the server. The design claims the server never sees plaintext, but if you do not trust the implementation you should audit the crypto code (crypto.ts, pair-crypto.ts, api-client.ts) to ensure keys are derived/used locally and no plaintext leakage occurs. Consider self-hosting the relay by setting TOTALRECLAW_SERVER_URL to a host you control if you plan to trust the system. - Run in an isolated environment first: because the bundle contains runnable code that writes to your home dir and registers pairing routes, try it in a VM or throwaway account first. Confirm it only writes under ~/.totalreclaw and does not read unrelated config files. - Code audit and provenance: the skill includes many source files and tests (good). If you cannot audit it yourself, prefer code from a known publisher or check for independent audits. Verify package signatures or upstream repository links if possible (homepage is provided). - If you proceed: (1) create a fresh recovery phrase solely for TotalReclaw, (2) do not export that phrase to any network or chat, (3) consider self-hosting the server or inspect requests to the default API endpoint, and (4) restrict the plugin's autonomous permissions until you are confident. If you want, I can point out exactly where SKILL.md contains the prompt-injection patterns or summarize the crypto-related files (crypto.ts, pair-crypto.ts, api-client.ts) to help focus a code review.
Findings: [system-prompt-override] unexpected: Scanner flagged SKILL.md for content patterns that look like instructions to override system prompts. SKILL.md should not contain attempts to change the agent's system prompt; this could be a manipulation vector. Manual review of those SKILL.md sections is recommended (the pre-scan showed this pattern inside the skill documentation). [base64-block] unexpected: A base64 block pattern was detected in SKILL.md. Base64 blobs in skill docs can be benign (e.g., illustrations, encoded assets) but can also hide payloads or encoded instructions. Verify the decoded contents or ask the author why the encoded block is present.

Review Dimensions

Purpose & Capability: noteThe name/description (E2EE memory) align with the code: many files implement encryption, storage, pairing, search, and HTTP API client logic. However the registry metadata declares no required environment variables, while the README and SKILL.md clearly document a sensitive recovery phrase (TOTALRECLAW_RECOVERY_PHRASE) and optional TOTALRECLAW_SERVER_URL. That metadata omission is an incoherence — a consumer would legitimately expect the declared required envs to match the documented runtime needs for auth/config.
Instruction Scope: concernSKILL.md instructs generation/storage of a BIP-39 recovery phrase and writing credentials to ~/.totalreclaw/credentials.json and describes network interaction with api.totalreclaw.xyz (via an auth Bearer token derived from the recovery phrase). That behavior is consistent with a memory plugin, but SKILL.md also contains patterns the scanner labeled as prompt-injection (system-prompt-override and base64-block). Presence of prompt-injection patterns in the runtime instructions is a red flag because it could be an attempt to influence agent/system prompts at runtime. There are no instructions in SKILL.md that explicitly ask the agent to read unrelated system secrets (e.g., AWS creds), but the mismatch between declared envs and documented sensitive env usage suggests the skill may rely on secrets not declared in registry metadata.
Install Mechanism: okNo install spec is present (instruction-only), which is lower-risk than arbitrary remote installers. The package nevertheless includes full source files in the skill bundle (many TypeScript files, tests, scripts). Because no automated install downloads/extracts external binaries, there is no immediate download-from-URL risk. However the presence of executable scripts and node source means a human or the platform will execute this code when the plugin is activated, so code review is needed.
Credentials: concernThe registry metadata claims requires.env is empty, but SKILL.md/README and CLAWHUB.md repeatedly document a recovery phrase env var (TOTALRECLAW_RECOVERY_PHRASE) and optional TOTALRECLAW_SERVER_URL. The plugin also writes files under the user's home (~/.totalreclaw) and reads/writes billing cache and credential files. Requesting/using a sensitive mnemonic is proportional to an E2EE memory plugin, but the metadata omission is inconsistent and could cause automated scanners or users to miss that a secret is needed. No unrelated credentials (AWS, GCP, etc.) are requested in the files provided.
Persistence & Privilege: notealways is false (normal). The plugin writes local files (~/.totalreclaw), creates a billing cache, and registers HTTP pairing routes (pairing flow). These are expected for a memory plugin that needs local credentials and pairing. It does not request to be always-enabled or to modify other plugins' configurations. Because the plugin can be invoked autonomously (default), treat the prior concerns (prompt-injection indicators, metadata mismatch) as higher-risk when combined with autonomous invocation.