Back to plugin
Pluginv1.9.1
ClawScan security
OpenClaw Mem · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 5:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The bundle's code, docs, and runtime instructions are consistent with a sidecar-first OpenClaw memory capture plugin and do not request unrelated credentials or unusual install behavior.
- Guidance
- This bundle appears to do what it says: a sidecar capture + local CLI/SQLite proof path. Before installing: (1) run the local proof steps (sample JSONL → ingest → search/timeline) on a throwaway DB to verify redaction/behavior; (2) review any systemd/cron or OpenClaw cron job snippets — they include agentTurn payloads that will cause execs to run, so only enable them if you trust the configured commands and host; (3) do not promote the optional mem-engine to own the memory slot until you've audited receipts and rollback paths. If you want extra caution, keep captureMessage and episodes disabled and rely on manual CLI ingest until comfortable.
Review Dimensions
- Purpose & Capability
- okName/description say 'sidecar memory capture' and the repo documents, plugin JSON, TypeScript extension, CLI, and ingestion scripts all implement that purpose. Files (plugin, CLI, docs, tests) align with the claimed functionality; nothing asks for unrelated cloud or admin credentials.
- Instruction Scope
- noteSKILL.md focuses on local capture → JSONL → SQLite ingest and safe adoption paths. It includes operator-level instructions (git clone, uv sync, uv run, systemd/cron examples) and examples of configuring OpenClaw cron jobs that send agent-turn payloads which execute local commands (e.g., run harvest via an exec). That is coherent for an operator-run ingestion workflow but worth noting: the docs show examples where scheduled agent messages will instruct the system to run local exec commands — this is expected for OpenClaw automation but operators should verify those cron/agent payloads before enabling in production.
- Install Mechanism
- okNo automatic install spec is included; the bundle is distributed as repo files and docs instruct manual git clone / uv sync / plugin symlink. No opaque downloads, URL shorteners, or remote extract/install steps are present in SKILL.md. The included Node/Python project files are expected for the plugin and CLI.
- Credentials
- okNo required env vars or secrets are declared. Optional environment examples (e.g., OPENCLAW_MEM_IMPORTANCE_SCORER, OPENCLAW_STATE_DIR) are reasonable operator controls for behavior tuning, not undisclosed credentials. The docs do reference using model names in cron payloads (e.g., 'google-antigravity/gemini-3-flash') but do not request API keys from unrelated services.
- Persistence & Privilege
- notealways:false and user-invocable:true (defaults) — the skill does not request forced permanent inclusion. It instructs operators to add a symlink into plugin dirs or to enable plugin in OpenClaw config, which is normal for a plugin. Operators should be cautious about promoting the optional 'mem-engine' to become the active memory-slot backend (docs emphasize this is a controlled, post-proof step).