Plugin

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill’s memory purpose is clear, but it automatically captures broad personal facts into persistent decentralized memory and shows under-scoped wallet/credential authority, so it should be reviewed before installation.

Review this carefully before installing. It may be suitable if you explicitly want automatic encrypted long-term memory, but you should confirm what gets saved, how deletion/export works, whether old session logs are imported, and whether any wallet or transaction-related permissions are required.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

Potential exfiltration

Warn

Finding: Sensitive-looking file read is paired with a network send.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI06: Memory and Context Poisoning

High

What this means

Personal details such as identity, location, work, plans, preferences, and commitments may be saved and reused across future conversations even when the user did not explicitly ask to save them.

Why it was flagged

This instructs automatic storage of a very broad set of personal facts into persistent decentralized memory without per-memory confirmation.

Skill content

When the user states ANYTHING about themselves ... call `totalreclaw_remember` ... Trigger immediately, no "should I?" ... user memories live encrypted on-chain.

Recommendation

Install only if you want automatic long-term memory; prefer explicit opt-in/confirmation, review export and deletion behavior, and disable autonomous remembering if possible.

#ASI08: Cascading Failures

Medium

What this means

A misread or sensitive statement from session history could propagate into long-term memory and affect future agent behavior.

Why it was flagged

The changelog describes automated extraction from OpenClaw session log files, which can move information from past sessions into persistent memory.

Skill content

Trajectory poller ... skip stale trajectory files ... multiple session files ... default 60 s poll interval ... OpenClaw session log history

Recommendation

Before enabling, verify what session-log paths are scanned, whether the poller can be disabled, and whether the user approves importing past conversation history.

#ASI03: Identity and Privilege Abuse

High

What this means

If these capabilities are active, the plugin may handle authority that can affect account state or funds without the registry metadata making that clear.

Why it was flagged

The declared credential contract says no primary credential, while capability signals indicate high-impact wallet, purchase, signing, and sensitive-credential capabilities.

Skill content

Primary credential: none ... Capability signals: requires-wallet; can-make-purchases; can-sign-transactions; requires-sensitive-credentials

Recommendation

Do not provide wallet or signing authority unless the plugin documents exact scopes, approval prompts, spending limits, and recovery procedures; use a separate low-risk account if needed.

#ASI09: Human-Agent Trust Exploitation

Medium

What this means

Users may be pushed through account setup and credential pairing without understanding that they are enabling persistent memory and account creation.

Why it was flagged

The skill equates a setup action with unconditional consent, rather than requiring a clear user approval step for account pairing.

Skill content

Pair is UNCONDITIONAL when no credentials — pasting the install URL IS the consent.

Recommendation

Require an explicit confirmation before pairing or account creation, and present what data will be stored and how to undo it.

#ASI10: Rogue Agents

Medium

What this means

After installation, the plugin can initiate setup-related network activity and local credential writes without the user manually running each step.

Why it was flagged

The implementation starts a background pairing listener and writes credential state on first load. This is disclosed and related to setup, but it is autonomous persistent behavior.

Skill content

autonomously open a relay pair session when the plugin loads without credentials ... writes URL + PIN + sid + expiry to `~/.totalreclaw/.pair-pending.json` ... background WS listener ... writes credentials.json

Recommendation

Review the pairing flow, confirm where credentials are stored, and ensure background setup is acceptable for the environment.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing the skill may also install and run external plugin code from the package ecosystem.

Why it was flagged

The skill directs installation of an external RC npm plugin package. This is purpose-aligned, but users should recognize it as a package-install supply-chain dependency.

Skill content

openclaw plugins install @totalreclaw/totalreclaw@rc

Recommendation

Prefer a stable pinned version when possible and verify the package provenance before installing in sensitive environments.