cove

v1.0.3

Chain of Verification (CoVe) — fact-check your responses against the user's knowledge base, memory, and web search before presenting them.

⭐ 0· 128·0 current·0 all-time

by@bhawanakatiyar

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bhawanakatiyar/cove-plugin.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "cove" (bhawanakatiyar/cove-plugin) from ClawHub.
Skill page: https://clawhub.ai/bhawanakatiyar/cove-plugin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cove-plugin

ClawHub CLI

Package manager switcher

npx clawhub@latest install cove-plugin

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The plugin declares and implements functionality to extract claims and verify them against local workspace files, agent memory (including a memory SQLite DB), optional vector stores, and optional Brave web search. Required bits (node runtime, optional LLM API keys or sidecar proxy, optional Brave key, vector store URL) are consistent with that purpose. Plugin metadata, code, and README consistently describe these capabilities.

ℹ

Instruction Scope

SKILL.md and plugin.json explicitly state the skill reads ~/.openclaw/workspace/, ~/.openclaw/workspace/memory/, and ~/.openclaw/memory/main.sqlite — the implementation follows that and also collects top-level .md/.txt files from the .openclaw root and any user-configured document_paths. This is coherent with verification needs, but two points to be aware of: (1) the code uses a heuristic parser to extract printable text from the SQLite file (readMemoryDb) rather than using sqlite bindings; that will scan the binary DB for printable strings and could pull any long text stored there; (2) USAGE.md/README text and code caps (per-file and aggregate context caps) are applied, but install instructions suggest copying binaries into system paths (e.g., /usr/local/bin) which requires admin rights — installation is manual and not auto-run by the skill itself.

✓

Install Mechanism

There is no automated installer in the registry spec (instruction-only install). The repo contains a CLI and README with copy/clone instructions; no remote downloads, URL shorteners, or extract-from-untrusted-URL installs are present. The plugin claims zero npm dependencies and uses only Node built-ins, which matches package.json. Installation guidance suggests copying files to system locations, which is normal but requires privilege and user consent.

✓

Credentials

Requested environment variables are proportional: either a direct LLM API key (GEMINI/ANTHROPIC/OPENAI or COVE_LLM_API_KEY) or use of the local sidecar (OPENCLAW_PROXY_PORT / SIDECAR_PROXY_KEY). BRAVE_API_KEY is optional and only required for web search. Vector-store URL/api_key are optional and only used if configured. There is a small metadata mismatch: the registry summary showed 'required env vars: none' while plugin.json & SKILL.md indicate one-of GEMINI/ANTHROPIC/OPENAI (or sidecar) — this is a documentation/metadata inconsistency but not a functional red flag.

✓

Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills' configs. It can be invoked autonomously by the agent (default platform behavior), but auto_verify is opt-in in config. The plugin logs to stdout (captured by OpenClaw) and can be configured to auto-correct responses; these are expected behaviours for a verification skill. No persistent backdoor or privilege escalation is present.

Assessment

This plugin appears to do what it says: it reads your OpenClaw workspace and agent memory, optionally queries a vector DB and Brave Search, and calls an LLM (either via direct API keys or the local sidecar) to verify claims. Before installing, consider: 1) review and consent to the directories it will read (~/.openclaw/workspace/, ~/.openclaw/workspace/memory/, ~/.openclaw/memory/main.sqlite and any paths you add to document_paths); 2) prefer using the local sidecar proxy if you do not want to supply direct LLM API keys to the plugin; 3) if you enable web search or a remote vector store, those network endpoints and API keys will be used — verify and limit them as needed; 4) the plugin extracts printable text from the SQLite memory DB using a heuristic parser (not a sqlite binding) — if your DB contains sensitive blobs or large binary artifacts, review that behavior first; and 5) installation instructions suggest copying files to system locations (/usr/local/bin), which requires admin rights — perform the copy only if you trust the code and review the source (it is included). If you want extra assurance, run the included tests in a non-sensitive environment and inspect the cove source files for any changes before enabling auto_verify.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

✅ Clawdis

Binsnode

latestvk9716rp7degz0bbx19zs0yd3c583ht2h

128downloads

0stars

4versions

Updated 1mo ago

v1.0.3

MIT-0

cove-verify

Verify factual claims in your responses using Chain of Verification (CoVe). The tool extracts claims, checks them against the user's workspace, memory, and optionally the web, then reports inaccuracies with corrections.

When to Use

You SHOULD verify your response when:

Making specific factual claims about the user's business, products, customers, or data
Citing dates, numbers, statistics, or metrics from the user's files
Referring to past conversations or decisions from memory
Answering questions about the user's documentation or policies

You do NOT need to verify:

General knowledge, common sense, or widely known facts
Code you wrote (test it instead)
Creative content, opinions, or brainstorming
Simple conversational responses

Usage

# Verify a response (basic — checks memory + workspace)
cove-verify -r "Alice is on the Enterprise tier and pays $499/month."

# Standard policy — also checks the web
cove-verify -r "Revenue grew 15% last quarter." -p standard

# Deep policy — multi-step reasoning with web search
cove-verify -r "The contract SLA is 99.9% uptime." -p deep

# Pipe from stdin
echo "Your subscription renews on April 1st." | cove-verify --stdin

# JSON output for programmatic use
cove-verify -r "Bob signed up on March 5th." -f json

# Strict mode — fail if claims can't be confirmed
cove-verify -r "The API rate limit is 1000 req/min." --strict

# Report only (no auto-correction)
cove-verify -r "Meeting is scheduled for 3pm." --no-correct

Options

Flag	Short	Description	Default
`--response`	`-r`	Response text to verify	—
`--stdin`		Read response from stdin	false
`--policy`	`-p`	`basic`, `standard`, `deep`	basic
`--strict`		Fail if any claim is unverifiable	false
`--format`	`-f`	`text` or `json`	text
`--no-correct`		Report only, don't auto-correct	false

Policies

Policy	Memory	Workspace	Web Search	Use When
basic	✅	✅	❌	Internal facts (customers, products, config)
standard	✅	✅	✅	Facts that may need external confirmation
deep	✅	✅	✅	Critical claims requiring thorough verification

Workflow

Draft your response as usual
Run cove-verify -r "your response" to check claims
Fix any inaccuracies (the tool suggests corrections)
Send the corrected response

If the tool auto-corrects, use the corrected version. Let the user know you verified the response and share the results — transparency builds trust.

Data Access

This skill reads the following to build verification context:

Workspace files: text files in ~/.openclaw/workspace/ (top-level only, max 10KB each)
Memory files: markdown files in ~/.openclaw/workspace/memory/ (depth 2)
Memory database: text chunks from ~/.openclaw/memory/main.sqlite (max 20KB aggregate)
Custom paths: any paths listed in knowledge_sources.document_paths in your config

For standard and deep policies, it also queries the Brave Search API (requires BRAVE_API_KEY).

All data stays local to the verification pipeline — nothing is stored or sent beyond the configured LLM provider.

Exit Codes

0 — All claims verified (or no claims found)
1 — One or more claims are inaccurate
2 — Strict mode: claims are unverifiable (not necessarily wrong)

Comments

Loading comments...