ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Plugin

v3.6.0

End-to-end encrypted memory for AI agents — portable, yours forever. AES-256-GCM E2EE: server never sees plaintext.

0· 275·0 current·0 all-time
byPedro Diogo@p-diogo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesCan sign transactionsRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md implement an E2EE memory system (crypto, blind indices, API client, lifecycle hooks) which is coherent with the skill's name/description. However the registry metadata claims no required environment variables while README and the code expect/consume a recovery phrase, server URL, and many optional LLM provider API keys. That mismatch (declared 0 envs vs. actual sensitive env access) is unexpected and unexplained.
!
Instruction Scope
SKILL.md instructs generating/storing a 12-word recovery phrase, hooking into lifecycle events (before_agent_start, agent_end, pre_compaction) and injecting retrieved memories into agent context — those are expected for a memory skill. But the pre-scan flagged a 'system-prompt-override' pattern in SKILL.md, and the frontmatter/README inconsistently declare env requirements (frontmatter: none; README: set TOTALRECLAW_SERVER_URL and TOTALRECLAW_RECOVERY_PHRASE). Because the skill injects context into prompts and the skill text is used as a listing (per CLAWHUB.md), there is a risk the SKILL.md content or lifecycle hooks could be used to alter agent prompts or behavior beyond what a user expects. Recommend manual review of the full SKILL.md for any instructions that overwrite system prompts or ask the agent to collect unrelated secrets.
Install Mechanism
There is no separate install spec (instruction-only), but the skill bundle contains many source files, package.json, and package-lock.json and depends on a WASM-backed module @totalreclaw/core. No arbitrary external URL downloads were observed in the provided manifest. The presence of a native/WASM dependency is a moderate installation risk because it executes native code and must be installed (npm or equivalent) — inspect that module and its provenance before trusting it.
!
Credentials
The code (config.ts) reads a wide set of environment variables: TOTALRECLAW_RECOVERY_PHRASE (highly sensitive), TOTALRECLAW_SERVER_URL, many tuning vars, and numerous LLM provider API keys (OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY, etc.). The registry metadata advertised no required envs, creating a serious mismatch. Reading many unrelated credentials increases the blast radius: the skill could (intentionally or accidentally) use or transmit those keys unless you verify client-side behavior and server interactions.
Persistence & Privilege
The skill does not set always:true and is user-invocable. It declares lifecycle hooks that run at normal integration points (before_agent_start, agent_end, pre_compaction). Those privileges are expected for a memory plugin and do not by themselves indicate over-privilege.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern was detected inside SKILL.md. Although memory plugins inject stored context into conversation prompts (expected), a 'system-prompt-override' pattern suggests the SKILL.md may contain content that tries to alter the agent's system/assistant prompt or otherwise manipulate agent behavior. This is not necessary for basic E2EE memory functionality and should be inspected manually.
What to consider before installing
What to check before installing: - Metadata mismatch: the registry lists no required env vars but the README and code expect TOTALRECLAW_RECOVERY_PHRASE and TOTALRECLAW_SERVER_URL (and optionally many LLM API keys). Treat that as a red flag — ask the publisher why requirements were omitted. - Recovery phrase handling: the recovery phrase is the user's only identity and is irreversible. Do NOT reuse any cryptocurrency wallet seed; follow the skill's warning. Prefer interactive, ephemeral entry rather than placing the phrase in a long-lived environment variable if possible. - Sensitive env vars: the skill will read any provider API keys present in the environment. If you have provider keys in your environment, consider running the skill in an isolated environment or remove keys you don't want the skill to see until you've audited the code. - Inspect @totalreclaw/core: the crypto/WASM module performs critical crypto operations. Verify its provenance (npm page, code, signatures) and ensure its build artifacts are trustworthy before trusting the bundle. - Review SKILL.md and code for prompt/modification behavior: the pre-scan flagged a system-prompt-override pattern. Read the full SKILL.md and lifecycle hook implementations to ensure nothing attempts to override system prompts or exfiltrate secrets. - Prefer self-hosting: if you want to minimize trust, host the TotalReclaw server yourself (set TOTALRECLAW_SERVER_URL to your endpoint) and audit the server code; that reduces trust in the upstream service. - Test in isolation: run the skill in a sandboxed agent with no extra env credentials, monitor network calls to the configured server, and confirm that only encrypted blobs and expected headers (auth derived from recovery phrase) are transmitted. - If unsure, request more information from the publisher: source repo URL, signed releases, and an explanation for why registry metadata omits required envs. If the publisher cannot explain the discrepancies, avoid installing. Low vs. high confidence: this evaluation is high-confidence about the inconsistencies (metadata vs. code) and the presence of sensitive env var access and prompt-injection signal. It does not assert malicious intent — the code looks like a plausible E2EE memory implementation — but the mismatches and broad env access are sufficient to label the listing 'suspicious' and require manual vetting.
!
index.ts:214
File read combined with network send (possible exfiltration).
!
SKILL.md:698
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

agent-memoryvk979pnbzw4t650hme12r14y4vd84b032e2e-encryptionvk979pnbzw4t650hme12r14y4vd84b032e2eevk979pnbzw4t650hme12r14y4vd84b032encryptionvk979pnbzw4t650hme12r14y4vd84b032latestvk979pnbzw4t650hme12r14y4vd84b032memoryvk979pnbzw4t650hme12r14y4vd84b032persistent-contextvk979pnbzw4t650hme12r14y4vd84b032privacyvk979pnbzw4t650hme12r14y4vd84b032

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
OSmacOS · Linux · Windows

Comments