Truclaw Biometric
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a plausible biometric approval plugin, but it asks for very sensitive identity enrollment and sends tool-call arguments to external services while giving limited evidence about scope and safeguards.
Review this carefully before installing. If you proceed, inspect the source code, verify that approvals are tied to the exact action being run, consider self-hosting the relay, and avoid using it with sensitive tool arguments unless you accept the external data flows and ID-enrollment requirements.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A biometric approval could potentially authorize broader or different actions than the user expects if the implementation is not tightly bound to the exact tool call.
The plugin can gate high-impact tool calls before they execute, but the documented pass/fail signal appears to be an age/KYC flag rather than clearly action-bound approval for the exact command, message, or file operation.
The plugin runs in a privileged before_tool_call hook ... isAbove21=true → action proceeds / isAbove21=false → action blocked
Review the plugin source before installing and confirm the iPhone prompt displays the exact tool name and arguments and that the signed JWT binds to that exact action.
Installing and using this skill may require you to provide sensitive identity documents to an app workflow that is outside the submitted artifact review.
Government ID/passport scanning is highly sensitive identity collection and is not clearly necessary for a Face ID-based OpenClaw action approval guardrail.
Complete one-time enrollment: - Take a selfie - Scan your Driver's License or Passport
Do not enroll unless you understand why ID verification is required, trust the iOS app and its privacy model, and are comfortable with the identity-data handling.
Sensitive command parameters or message contents could be sent to an external model provider during danger classification.
The artifact discloses that tool names and arguments are sent to Anthropic. Tool arguments can include personal messages, file paths, secrets, payloads, or other sensitive content, so the 'no personal data' claim is not guaranteed by the artifact.
Danger classification (Claude Haiku) | Anthropic API — tool name and args only, no personal data
Assume tool arguments may leave your environment; avoid using it with sensitive data unless redaction, logging, retention, and provider terms are acceptable.
You would be installing and trusting code that was not available in this review package.
The actual npm/GitHub code that implements the privileged hook was not included in the artifact set, so the clean static scan does not validate the runtime behavior.
No code files present — this is an instruction-only skill. The regex-based scanner had nothing to analyze.
Inspect the linked repository or npm package, verify provenance, and pin a trusted version before installing.
Users may overestimate the protection provided and approve installation without reviewing the privileged code path.
The documentation makes very strong security assurances, but the reviewed artifacts do not include the implementation needed to substantiate those claims.
No chat account compromise, no prompt injection, no replay attack can forge this.
Treat the claims as design goals until independently verified in source and runtime behavior.