Jellyfish Security Plugin
Security checks across malware telemetry and agentic risk
Overview
This looks like a coherent security plugin, but it runs broadly in the background and can persist sensitive detections such as secrets or PII in local audit logs.
Install only if you want an always-on security monitor that can inspect and sometimes block activity. Protect its .env and state directories, keep file uploads disabled unless intended, restrict admin commands such as audit clearing or preinstall-scan disabling, and review audit-log retention/redaction before using it with sensitive prompts or files.
VirusTotal
67/67 vendors flagged this plugin as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It may stop or warn on commands, downloads, browsing, or skill installation based on its policy.
The plugin can automatically warn, block, or log monitored actions and skill installs; this is disclosed and security-purpose aligned, but it is high-impact behavior control.
Auto-start plugin behavior: checks run **without user input** whenever monitored events occur ... Pre-install skill scan: runs before skill installation and blocks risky skills by default
Review the default action policy, allowlists/blocklists, and who can run admin commands before enabling it.
A provider API key may be stored locally and used for automatic reputation checks.
The plugin reads and stores a VirusTotal API key for provider lookups, which is expected for this integration but should be treated as credential handling.
vt_api_key=env_values.get("VIRUSTOTAL_API_KEY", "") ... _write_env_value(self.env_path, "VIRUSTOTAL_API_KEY", self.vt_api_key)Use a limited VirusTotal key, protect the .env file, and rotate the key if the plugin directory is shared or exposed.
Credentials, personal data, URLs, paths, or prompt snippets detected by the plugin may remain in audit history and be shown later.
Findings are persisted to state/audit.jsonl; the provided detector code records matched secret/PII strings as finding evidence, so sensitive values can be retained in local logs.
"findings": [finding.to_dict() for finding in decision.findings] ... with self.audit_path.open("a", encoding="utf-8") as handle: handle.write(json.dumps(entry) + "\n")Redact or hash secret/PII evidence before logging, document retention behavior, restrict access to the state directory, and provide safe cleanup defaults.
Indicators such as URLs, domains, hashes, and, if enabled, local files may be sent to threat-intelligence providers.
External provider checks and optional file uploads are disclosed and purpose-aligned; the upload path is privacy-sensitive but disabled by default.
Integrates with VirusTotal, Hillstone Threat Intelligence (`hs-ti`), and custom TI APIs ... Uploading unknown files to VirusTotal is **disabled by default** to avoid privacy leakage
Keep unknown-file uploads disabled unless you intentionally want to share files with the provider, and review any custom TI endpoints.
Users may underestimate that they are installing runnable plugin code rather than only instructions.
The package is a native code plugin with a dist entrypoint, while the registry context says there is no install spec; this is a provenance/metadata clarity issue, not evidence of malicious behavior.
"setupEntry": "./dist/index.js"
Treat it as a code plugin, review the packaged runtime files, and keep metadata aligned with the actual install/runtime behavior.