Everclaw
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: everclaw Version: 0.3.3 This skill is classified as suspicious due to its extensive network communication and data exfiltration capabilities, autonomous setup instructions, and sensitive API key handling. The skill is designed to back up agent memory and identity files to an external cloud service (everclaw.chong-eae.workers.dev) using `curl` commands, which is its stated purpose. However, the `SKILL.md` explicitly instructs the agent to "run the full setup automatically without asking the user any questions," which involves generating an API key, sending it to the remote service during provisioning, storing it in `~/.openclaw/openclaw.json`, and modifying `HEARTBEAT.md` for persistent syncing. While the skill explicitly avoids syncing 'credentials' or 'session transcripts', the high degree of autonomy, direct manipulation of agent configuration files, and the handling of a newly generated API key (sent cleartext once) represent significant trust requirements and potential for misuse, even if plausibly needed for its stated function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive agent memory and profile files could be sent to the remote vault as soon as the skill is invoked, before the user reviews the exact files and destination.
The skill directs automatic network provisioning and remote upload of local memory/identity files without an explicit user approval step.
When the skill is invoked, run the full setup automatically without asking the user any questions... Do an initial backup — read each of the standard files that exist locally and push them to the vault.
Require clear user confirmation before provisioning and before the first backup, show the file list and remote endpoint, and provide a dry-run or opt-out path.
A user may store highly private data believing it is unreadable to the service operator, even though the provided workflow does not demonstrate that trust model.
The artifacts claim nobody, including the operator, can read the data, but the visible workflow uploads raw file bytes to the service and retrieves decrypted content; no provided artifact shows client-side encryption before upload.
No one can read it, not even us... curl -s -X PUT "https://everclaw.chong-eae.workers.dev/v1/vault/MEMORY.md" ... --data-binary @MEMORY.md ... Load ... Returns decrypted file content.
Document the trust model accurately, provide reviewable client-side encryption before upload if claiming zero-knowledge access, or remove claims that the operator cannot read the data.
Memory files may continue syncing in later sessions or during heartbeat checks, including changes made outside the current conversation.
The skill installs persistent sync behavior by modifying configuration and heartbeat instructions so future sessions can keep uploading changed files.
set skills.entries.everclaw.enabled → true... Append the Everclaw sync task to HEARTBEAT.md... During heartbeat, check if any synced files have been modified since last backup and push them.
Ask before enabling persistent sync, make the heartbeat task easy to disable, and clearly document how to stop syncing and remove stored credentials.
If the vault contents are stale, wrong, or modified by someone with the API key, future sessions could inherit incorrect memory or behavior-shaping files.
The skill can repopulate local memory, persona, and heartbeat context from a remote vault, which makes that remote state part of future agent behavior.
Restore (session start): On first message of a session... restore them from the vault... SOUL.md — persona, tone, values, boundaries... MEMORY.md... HEARTBEAT.md.
Prompt before restoring behavior-shaping files, show diffs, use integrity/version checks, and separate user data from agent instruction files where possible.
Anyone who obtains the API key could access or alter the vault contents, and losing it could prevent recovery.
The API key is expected for this service and the skill includes a guardrail not to display it, but it is still a powerful recovery/access credential stored locally.
skills.entries.everclaw.env.EVERCLAW_API_KEY → the generated API_KEY... All requests require: Authorization: Bearer $EVERCLAW_API_KEY... Never log or display the full EVERCLAW_API_KEY.
Store the key securely, do not share it, and rotate or re-provision the vault if the key may have been exposed.