Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
- Content
apiKey = [REDACTED];
TotalReclaw (canary — scanner validation)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This canary memory skill mostly matches its stated purpose, but it needs review because it appears to ship an embedded API secret and includes tools that can modify persistent memories without a separate confirmation step.
Review before installing, especially because this is labeled as a canary build. Do not use an existing crypto wallet recovery phrase. Confirm that the publisher has removed or explained the reported hardcoded API key, and use the memory-deletion or consolidation tools only after previewing exactly what will change.
Static analysis
Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
- Content
**System Prompt:**
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI03: Identity and Privilege Abuse
High
What this means
An embedded key could be abused, billed unexpectedly, revoked, or used for undisclosed provider calls depending on what the code does at runtime.
Why it was flagged
A hardcoded API key or token in source code is credential exposure and is not justified by the documented memory functionality, especially when no credential is declared in metadata.
Skill content
Static scan: "suspicious.exposed_secret_literal ... Evidence: apiKey = [REDACTED];"
Recommendation
Remove the hardcoded key, rotate it, require users to provide their own provider credentials through documented configuration, and declare those credentials in metadata.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
If invoked by the agent at the wrong time, the user could lose memories or have records merged in ways they did not explicitly approve.
Why it was flagged
The tool can delete or merge persistent memories, and the documented default is to execute rather than preview, without a separate confirm parameter.
Skill content
totalreclaw_consolidate ... "merge near-duplicates" ... "removes redundant copies" ... "dry_run ... Default: `false`"
Recommendation
Make dry-run the default, require an explicit confirmation parameter for destructive consolidation, and show the exact memories to be removed before applying changes.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Personal or work details from chats may persist across sessions and influence future agent behavior, even when the user does not manually save each item.
Why it was flagged
The skill intentionally persists conversation-derived memories and reinjects them into future agent context, which is central to its purpose but sensitive.
Skill content
"Load relevant memories before processing each message"; "Extract and store facts after each turn"; "Flush all memories before context compaction"
Recommendation
Install only if you want persistent memory, review remembered items periodically, use forget/export controls, and avoid discussing secrets you do not want stored.
#
ASI09: Human-Agent Trust Exploitation
Low
What this means
Users or agents may be confused about whether they are installing a scanner-validation canary or the normal production TotalReclaw skill.
Why it was flagged
The registry entry is for a canary package named totalreclaw-canary version 3.1.0-canary.0, but SKILL.md presents the production-facing name, version, and install command.
Skill content
name: totalreclaw ... version: 1.6.0 ... `openclaw skills install totalreclaw`
Recommendation
Make the canary status explicit in SKILL.md and ensure install commands, slug, package name, and version match the artifact being published.