Skillv1.0.0

ClawScan security

Memory Auto Archive · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 11:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin mostly does what it claims (reading local transcripts and writing daily markdown archives), but there are multiple inconsistencies and risky behaviors (Windows-only references, missing PowerShell scripts, and explicit capture/storage of potential secrets) that need clarification before trusting it.
Guidance: Key things to consider before installing: - Cross-platform claims vs Windows-specific code: index.js attempts to run powershell.exe and references a hard-coded Windows user path (C:\Users\42517...), and the referenced PowerShell scripts (archive.ps1/refine.ps1) are not included in the package. Ask the author which entrypoint is authoritative (index.js vs standalone-archive.js/src/) and whether the PowerShell scripts are intentionally omitted. - Sensitive-data capture: default keywords include 'password', 'token', 'secret' and the refine prompt explicitly instructs collecting 'data: important configs, passwords, tokens'. This plugin will write highlighted text to memory/*.md and possibly append to MEMORY.md. If your chats ever include secrets, they will be stored on disk and could be included in prompts. Disable refinement or remove secret-related keywords if you do not want secret capture. - AI refinement risk: refinement is disabled by default, but examples show enabling it with model identifiers. If you enable refinement and the code is later changed to call an external API, prompts could include sensitive info. Only enable AI refinement after confirming the callAI implementation and where the model runs (local vs external), and ensure proper credentials/permissions. - Sanity-check paths and startup behavior: the package has multiple entrypoints (index.js, standalone-archive.js, plugin.ts, src/index.ts). Confirm which one your OpenClaw installation will actually execute. The standalone-archive.js and src/archiver implement the expected cross-platform logic and may be safer; index.js is Windows-specific and seems out of sync. - If you plan to use it: review or test in a disposable workspace first (no real secrets), remove secret-related keywords, and verify that no external network calls are made (look for future callAI implementations). Ask the maintainer to remove hard-coded developer paths and either include or remove the PowerShell scripts so behavior is deterministic. Confidence notes: There are clear inconsistencies (Windows paths, missing scripts, secret-capturing defaults) that justify caution. I could raise confidence to high if the author confirms which entrypoint is intended and whether refine will ever send data to external services.

Review Dimensions

Purpose & Capability: noteThe declared purpose—auto-archiving chat transcripts with keyword highlights and optional AI refinement—matches the majority of source files (archiver, standalone-archive, refiner). However there are inconsistencies: documentation and many files claim cross-platform TypeScript support, but index.js spawns powershell.exe and references a hard-coded Windows transcriptDir (C:\Users\42517\...) and missing PowerShell scripts (archive.ps1/refine.ps1). Several files (PUBLISH.md, test.js) embed a developer's Windows workspace path, which contradicts the 'workspace-agnostic' claim.
Instruction Scope: concernSKILL.md instructs the plugin to read OpenClaw transcripts (agents/*/sessions/*.jsonl) and write memory/*.md, which is expected. But the code will search and read all session JSONL files and will highlight and store any content matching keywords — the default keyword list explicitly includes 'password', 'token', 'secret' and DEFAULT_REFINE guidance mentions extracting 'data: important configs, passwords, tokens'. That means secrets present in chats may be captured and written to local MEMORY.md/memory logs. The index.js also attempts to execute external PowerShell scripts (not present) which would expand the runtime actions if those scripts existed.
Install Mechanism: okThere is no install spec in registry metadata (instruction-only), and the package is a normal npm package per package.json. No network-download install behavior or obscure installer URLs are present in the bundle. However index.js spawns PowerShell to run archive.ps1/refine.ps1 files that are not present in the package — that mismatch is a code-level inconsistency rather than an installer risk.
Credentials: concernThe skill declares no required env vars or secrets (OK), but it will read any transcripts under the workspace and write logs and MEMORY.md files. The default keywords include terms that will match credentials (password/token/secret), and the refine flow explicitly includes a 'data' field intended to collect 'important configs, passwords, tokens'. Although refinement is disabled by default, examples in SKILL.md show enabling refine with an external model string. There is no request for API keys now, but enabling refine could lead to preparing prompts that contain secrets and (if future AI integration is implemented) sending them to an external model — the code currently does not implement remote calls, but the design invites potential exposure.
Persistence & Privilege: noteThe plugin registers a startup handler and is designed to run on agent startup (checkOnStartup is true by default). It does not set always:true. Running at startup and via heartbeat is expected for this sort of plugin, but because it scans transcripts and writes persistent memory files, its startup invocation combined with secret-capturing keywords increases risk if you enable refine or use an external model. The plugin does not modify other plugins' configs.