totalreclaw 安全扫描报告 — 可信 | ClawSafe

10 /100

totalreclaw

End-to-end encrypted memory vault for AI agents using AES-256-GCM E2EE

TotalReclaw is a legitimate E2EE memory vault skill. All pre-scan flags are benign: base64 Buffer operations are standard AES-256-GCM ciphertext encoding, hardcoded passwords are test-only fixtures, and the filesystem/network access is inherent to its stated purpose.

技能名称totalreclaw

分析耗时164.6s

引擎pi

✓

可以安装

Approve for use. Consider documenting the implicit filesystem:WRITE need for credential storage and the implicit network:WRITE need for the server API in a future SKILL.md revision.

安全发现 5 项

严重性	安全发现	位置
低危	Filesystem WRITE not declared in SKILL.md SKILL.md declares 'env: []' and 'bins: []' under requires, but the plugin writes credentials to ~/.totalreclaw/credentials.json and a header to ~/.openclaw/workspace/MEMORY.md. This is necessary and appropriate for the functionality but undocumented. `fs.writeFileSync(CREDENTIALS_PATH, JSON.stringify({ userId, salt: keys.salt.toString('base64') }))` → Update SKILL.md requires section to document that the skill reads/writes ~/.totalreclaw/ and ~/.openclaw/workspace/ directories.	`plugin/index.ts:387`
低危	Network access to api.totalreclaw.xyz not declared in requires.env SKILL.md lists 'env: []' under requires, but the plugin connects to https://api.totalreclaw.xyz by default. This is a legitimate hosted service call but is not declared. `const serverUrl = process.env.TOTALRECLAW_SERVER_URL \|\| 'https://api.totalreclaw.xyz';` → Update SKILL.md to list network:READ and network:WRITE as required capabilities, or at minimum document the server URL in the configuration section.	`plugin/index.ts:310`
提示	Pre-scan base64 CRITICAL flags are all false positives All five CRITICAL flags for 'base64_cmd' (Buffer.from with 'base64' encoding) are standard E2EE ciphertext handling: base64 decoding of stored salts and encrypted blobs. No eval, no obfuscation, no shell execution involved. `Buffer.from(record.data, 'base64') // JSON serialization round-trip for exported Buffer fields` → No action needed. These are legitimate crypto operations.	`dist/tools/export.js, plugin/index.ts:223`
提示	Test file hardcoded passwords are test fixtures only Hardcoded passwords ('pocv2-e2e-test-password-2026', 'test-password-123', etc.) appear in test files only. These are intentionally weak test fixture values and do not represent production credentials. `const testPassword = 'pocv2-e2e-test-password-2026';` → No action needed for production security. Consider using environment variables or jest's test secrets management for better testing hygiene.	`plugin/pocv2-e2e-test.ts, tests/integration/e2e-flow.test.ts:401`
提示	Recovery phrase displayed to user is intentional UX feature The SKILL.md instructs the agent to display the recovery phrase to the user. This is the core UX for the BIP-39 mnemonic-based vault — the user must see and save their phrase. This is declared and appropriate. `Ask the user: 'Do you have an existing TotalReclaw recovery phrase you'd like to restore, or should I generate a new one?'` → No action needed. This is the intended design.	`SKILL.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	plugin/index.ts - reads ~/.totalreclaw/credentials.json; reads file_path paramet…
文件系统	`NONE`	`WRITE`	✓ 一致	plugin/index.ts:387 - writes to CREDENTIALS_PATH (~/.totalreclaw/credentials.jso…
网络访问	`NONE`	`READ`	✓ 一致	plugin/index.ts - GET /v1/billing/status to api.totalreclaw.xyz; plugin/index.ts…
网络访问	`NONE`	`WRITE`	✓ 一致	plugin/index.ts - POST /v1/facts to api.totalreclaw.xyz for storage; subgraph-st…
命令执行	`NONE`	`NONE`	—	No subprocess, no exec, no shell commands found in production code.
环境变量	`NONE`	`READ`	✓ 一致	plugin/index.ts - reads TOTALRECLAW_RECOVERY_PHRASE, TOTALRECLAW_SERVER_URL, TOT…
技能调用	`WRITE`	`WRITE`	✓ 一致	9 declared tools: totalreclaw_remember, recall, forget, export, status, upgrade,…
剪贴板	`NONE`	`NONE`	—	No clipboard access found.
浏览器	`NONE`	`NONE`	—	No browser automation found.
数据库	`NONE`	`NONE`	—	No direct database access. Server-side PostgreSQL used as relay only.

5 严重 5 高危 50 项发现

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(record.data, 'base64'

dist/tools/export.js:223

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(creds.salt, 'base64'

plugin/index.ts:366

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(b64, 'base64'

plugin/index.ts:724

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(encryptedBase64, 'base64'

plugin/pocv2-e2e-test.ts:141

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(response.body.salt, 'base64'

tests/integration/server-integration.test.ts:360

🔑

高危 API 密钥疑似硬编码凭证

Password: 'my-secure-password'

dist/index.d.ts:13

🔑

高危 API 密钥疑似硬编码凭证

Password = 'pocv2-e2e-test-password-2026'

plugin/pocv2-e2e-test.ts:401

🔑

高危 API 密钥疑似硬编码凭证

Password: 'test-password-123'

tests/integration/e2e-flow.test.ts:281

🔑

高危 API 密钥疑似硬编码凭证

Password: 'new-user-password'

tests/integration/e2e-flow.test.ts:348

🔑

高危 API 密钥疑似硬编码凭证

Password: 'existing-password'

tests/integration/e2e-flow.test.ts:361

🔗

中危外部 URL 外部 URL

https://clawhub.ai

CLAWHUB.md:3

🔗

中危外部 URL 外部 URL

https://clawhub.ai/skills/totalreclaw

CLAWHUB.md:10

🔗

中危外部 URL 外部 URL

https://totalreclaw.xyz

CLAWHUB.md:67

🔗

中危外部 URL 外部 URL

http://your-totalreclaw-server:8080

README.md:26

🔗

中危外部 URL 外部 URL

http://127.0.0.1:8080

README.md:246

🔗

中危外部 URL 外部 URL

http://your-server:8080

README.md:273

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/package/@totalreclaw/core

README.md:313

🔗

中危外部 URL 外部 URL

https://totalreclaw.xyz/pricing

SKILL.md:221

🔗

中危外部 URL 外部 URL

https://checkout.stripe.com/c/pay/...

SKILL.md:280

🔗

中危外部 URL 外部 URL

https://api.totalreclaw.xyz

SKILL.md:877

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/package/@totalreclaw/totalreclaw

plugin/README.md:13

🔗

中危外部 URL 外部 URL

https://img.shields.io/npm/v/@totalreclaw/totalreclaw?color=7B5CFF

plugin/README.md:18

🔗

中危外部 URL 外部 URL

https://img.shields.io/npm/dm/@totalreclaw/totalreclaw

plugin/README.md:19

🔗

中危外部 URL 外部 URL

https://img.shields.io/badge/license-MIT-blue

plugin/README.md:20

🔗

中危外部 URL 外部 URL

https://openclaw.ai

plugin/README.md:25

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/package/@totalreclaw/mcp-server

plugin/README.md:92

🔗

中危外部 URL 外部 URL

https://api.mem0.ai

plugin/import-adapters/mem0-adapter.ts:156

🔗

中危外部 URL 外部 URL

https://api.z.ai/api/paas/v4

plugin/llm-client.ts:64

🔗

中危外部 URL 外部 URL

https://api.mistral.ai/v1

plugin/llm-client.ts:69

🔗

中危外部 URL 外部 URL

https://api.groq.com/openai/v1

plugin/llm-client.ts:70

🔗

中危外部 URL 外部 URL

https://api.deepseek.com/v1

plugin/llm-client.ts:71

🔗

中危外部 URL 外部 URL

https://openrouter.ai/api/v1

plugin/llm-client.ts:72

🔗

中危外部 URL 外部 URL

https://api.x.ai/v1

plugin/llm-client.ts:73

🔗

中危外部 URL 外部 URL

https://api.together.xyz/v1

plugin/llm-client.ts:74

🔗

中危外部 URL 外部 URL

https://api.cerebras.ai/v1

plugin/llm-client.ts:75

🔗

中危外部 URL 外部 URL

https://opencollective.com/libvips

plugin/package-lock.json:88

🔗

中危外部 URL 外部 URL

https://paulmillr.com/funding/

plugin/package-lock.json:549

🔗

中危外部 URL 外部 URL

https://www.npmjs.com/support

plugin/package-lock.json:750

💰

中危钱包地址加密货币钱包地址

0xC445af1D4EB9fce4e1E61fE96ea7B8feBF03c5ca

plugin/subgraph-store.ts:26

💰

中危钱包地址加密货币钱包地址

0x0000000071727De22E5E9d8BAf0edAc6f37da032

plugin/subgraph-store.ts:29

🔗

中危外部 URL 外部 URL

http://custom-server:9000

tests/config.test.ts:61

🔗

中危外部 URL 外部 URL

https://secure.example.com

tests/config.test.ts:74

🔗

中危外部 URL 外部 URL

http://openclaw-memory:8080

tests/config.test.ts:105

🔗

中危外部 URL 外部 URL

http://env-server:8888

tests/config.test.ts:134

🔗

中危外部 URL 外部 URL

http://env-server

tests/config.test.ts:218

🔗

中危外部 URL 外部 URL

http://override-server

tests/config.test.ts:219

🔗

中危外部 URL 外部 URL

http://openclaw-server

tests/config.test.ts:234

🔗

中危外部 URL 外部 URL

http://insecure.com

tests/config.test.ts:315

🔗

中危外部 URL 外部 URL

http://custom:9000

tests/config.test.ts:501

🔗

中危外部 URL 外部 URL

http://nonexistent-server:9999

tests/tools.test.ts:649

目录结构

112 文件 · 1.2 MB · 37463 行

TypeScript 80f · 28900L JavaScript 21f · 5175L JSON 6f · 1713L Markdown 4f · 1656L Shell 1f · 19L

├─ ▾ 📁 dist

│ ├─ ▾ 📁 extraction

│ │ ├─ 📜 dedup.d.ts TypeScript 154L · 4.4 KB

│ │ ├─ 📜 dedup.js JavaScript 430L · 16.4 KB

│ │ ├─ 📜 extractor.d.ts TypeScript 124L · 4.1 KB

│ │ ├─ 📜 extractor.js JavaScript 455L · 17.0 KB

│ │ ├─ 📜 index.d.ts TypeScript 10L · 948 B

│ │ ├─ 📜 index.js JavaScript 38L · 4.4 KB

│ │ ├─ 📜 prompts.d.ts TypeScript 331L · 8.4 KB

│ │ └─ 📜 prompts.js JavaScript 486L · 17.6 KB

│ ├─ ▾ 📁 reranker

│ │ ├─ 📜 cross-encoder.d.ts TypeScript 149L · 4.3 KB

│ │ └─ 📜 cross-encoder.js JavaScript 608L · 21.5 KB

│ ├─ ▾ 📁 tools

│ │ ├─ 📜 export.d.ts TypeScript 79L · 2.4 KB

│ │ ├─ 📜 export.js JavaScript 236L · 7.4 KB

│ │ ├─ 📜 forget.d.ts TypeScript 61L · 1.8 KB

│ │ ├─ 📜 forget.js JavaScript 119L · 4.0 KB

│ │ ├─ 📜 index.d.ts TypeScript 48L · 1.7 KB

│ │ ├─ 📜 index.js JavaScript 77L · 4.0 KB

│ │ ├─ 📜 recall.d.ts TypeScript 86L · 2.9 KB

│ │ ├─ 📜 recall.js JavaScript 169L · 5.3 KB

│ │ ├─ 📜 remember.d.ts TypeScript 64L · 2.0 KB

│ │ ├─ 📜 remember.js JavaScript 119L · 3.7 KB

│ │ ├─ 📜 status.d.ts TypeScript 71L · 2.3 KB

│ │ └─ 📜 status.js JavaScript 124L · 4.3 KB

│ ├─ ▾ 📁 triggers

│ │ ├─ 📜 agent-end.d.ts TypeScript 62L · 2.1 KB

│ │ ├─ 📜 agent-end.js JavaScript 289L · 11.1 KB

│ │ ├─ 📜 before-agent-start.d.ts TypeScript 66L · 2.5 KB

│ │ ├─ 📜 before-agent-start.js JavaScript 338L · 13.6 KB

│ │ ├─ 📜 index.d.ts TypeScript 27L · 1.1 KB

│ │ ├─ 📜 index.js JavaScript 37L · 1.7 KB

│ │ ├─ 📜 pre-compaction.d.ts TypeScript 61L · 2.2 KB

│ │ └─ 📜 pre-compaction.js JavaScript 320L · 12.0 KB

│ ├─ 📜 config.d.ts TypeScript 85L · 2.5 KB

│ ├─ 📜 config.js JavaScript 345L · 11.0 KB

│ ├─ 📜 debug.d.ts TypeScript 16L · 655 B

│ ├─ 📜 debug.js JavaScript 26L · 753 B

│ ├─ 📜 index.d.ts TypeScript 31L · 1.5 KB

│ ├─ 📜 index.js JavaScript 52L · 3.3 KB

│ ├─ 📜 totalreclaw-skill.d.ts TypeScript 229L · 6.1 KB

│ ├─ 📜 totalreclaw-skill.js JavaScript 873L · 32.2 KB

│ ├─ 📜 types.d.ts TypeScript 189L · 4.7 KB

│ └─ 📜 types.js JavaScript 18L · 479 B

├─ ▾ 📁 plugin

│ ├─ ▾ 📁 import-adapters

│ │ ├─ 📜 base-adapter.ts TypeScript 92L · 2.6 KB

│ │ ├─ 📜 chatgpt-adapter.ts TypeScript 323L · 10.2 KB

│ │ ├─ 📜 claude-adapter.ts TypeScript 146L · 4.4 KB

│ │ ├─ 📜 import-adapters.test.ts TypeScript 1123L · 43.7 KB

│ │ ├─ 📜 index.ts TypeScript 28L · 1.1 KB

│ │ ├─ 📜 mcp-memory-adapter.ts TypeScript 276L · 7.9 KB

│ │ ├─ 📜 mem0-adapter.ts TypeScript 233L · 6.2 KB

│ │ └─ 📜 types.ts TypeScript 112L · 3.6 KB

│ ├─ 📜 api-client.ts TypeScript 328L · 10.3 KB

│ ├─ 📜 consolidation.test.ts TypeScript 356L · 12.1 KB

│ ├─ 📜 consolidation.ts TypeScript 227L · 7.5 KB

│ ├─ 📜 crypto.ts TypeScript 224L · 8.0 KB

│ ├─ 📜 embedding.ts TypeScript 75L · 2.8 KB

│ ├─ 📜 extractor-dedup.test.ts TypeScript 168L · 5.9 KB

│ ├─ 📜 extractor.ts TypeScript 365L · 13.3 KB

│ ├─ 📜 generate-mnemonic.ts TypeScript 14L · 573 B

│ ├─ 📜 hot-cache-wrapper.ts TypeScript 126L · 4.3 KB

│ ├─ 📜 index.ts TypeScript 3318L · 130.5 KB

│ ├─ 📜 llm-client.ts TypeScript 418L · 12.8 KB

│ ├─ 📜 lsh.test.ts TypeScript 463L · 15.7 KB

│ ├─ 📜 lsh.ts TypeScript 66L · 1.7 KB

│ ├─ 📋 openclaw.plugin.json JSON 26L · 681 B

│ ├─ 📋 package-lock.json JSON 1353L · 47.5 KB

│ ├─ 📋 package.json JSON 40L · 962 B

│ ├─ 📜 pocv2-e2e-test.ts TypeScript 917L · 32.1 KB

│ ├─ 📜 porter-stemmer.d.ts TypeScript 4L · 143 B

│ ├─ 📝 README.md Markdown 105L · 4.0 KB

│ ├─ 📜 reranker.test.ts TypeScript 594L · 20.7 KB

│ ├─ 📜 reranker.ts TypeScript 537L · 18.1 KB

│ ├─ 📜 semantic-dedup.test.ts TypeScript 392L · 13.5 KB

│ ├─ 📜 semantic-dedup.ts TypeScript 100L · 3.4 KB

│ ├─ 🔧 setup.sh Shell 19L · 531 B

│ ├─ 📜 store-dedup-wiring.test.ts TypeScript 186L · 7.7 KB

│ ├─ 📜 subgraph-search.ts TypeScript 282L · 8.4 KB

│ └─ 📜 subgraph-store.ts TypeScript 445L · 15.5 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 extraction

│ │ ├─ 📜 dedup.ts TypeScript 606L · 17.5 KB

│ │ ├─ 📜 extractor.ts TypeScript 659L · 18.3 KB

│ │ ├─ 📜 index.ts TypeScript 54L · 1.0 KB

│ │ └─ 📜 prompts.ts TypeScript 557L · 17.6 KB

│ ├─ ▾ 📁 reranker

│ │ └─ 📜 cross-encoder.ts TypeScript 739L · 20.3 KB

│ ├─ ▾ 📁 tools

│ │ ├─ 📜 export.ts TypeScript 277L · 7.5 KB

│ │ ├─ 📜 forget.ts TypeScript 141L · 4.0 KB

│ │ ├─ 📜 index.ts TypeScript 106L · 2.8 KB

│ │ ├─ 📜 recall.ts TypeScript 213L · 5.8 KB

│ │ ├─ 📜 remember.ts TypeScript 143L · 3.9 KB

│ │ └─ 📜 status.ts TypeScript 168L · 4.8 KB

│ ├─ ▾ 📁 triggers

│ │ ├─ 📜 agent-end.ts TypeScript 376L · 10.6 KB

│ │ ├─ 📜 before-agent-start.ts TypeScript 403L · 12.8 KB

│ │ ├─ 📜 index.ts TypeScript 43L · 1.1 KB

│ │ └─ 📜 pre-compaction.ts TypeScript 463L · 13.0 KB

│ ├─ 📜 config.ts TypeScript 435L · 11.9 KB

│ ├─ 📜 debug.ts TypeScript 35L · 979 B

│ ├─ 📜 index.ts TypeScript 70L · 1.6 KB

│ ├─ 📜 totalreclaw-skill.ts TypeScript 1050L · 30.2 KB

│ └─ 📜 types.ts TypeScript 233L · 5.5 KB

├─ ▾ 📁 tests

│ ├─ ▾ 📁 extraction

│ │ └─ 📜 host-llm-integration.test.ts TypeScript 200L · 6.9 KB

│ ├─ ▾ 📁 fixtures

│ │ └─ 📜 conversations.ts TypeScript 1120L · 34.5 KB

│ ├─ ▾ 📁 integration

│ │ ├─ 📜 e2e-flow.test.ts TypeScript 1146L · 31.3 KB

│ │ ├─ 📜 hooks-integration.test.ts TypeScript 1332L · 35.3 KB

│ │ └─ 📜 server-integration.test.ts TypeScript 947L · 26.3 KB

│ ├─ 📜 config.test.ts TypeScript 551L · 16.7 KB

│ ├─ 📜 extraction.test.ts TypeScript 935L · 27.6 KB

│ ├─ 📜 integration.test.ts TypeScript 882L · 23.0 KB

│ ├─ 📜 reranker.test.ts TypeScript 383L · 11.6 KB

│ └─ 📜 tools.test.ts TypeScript 752L · 19.4 KB

├─ 📝 CLAWHUB.md Markdown 134L · 4.6 KB

├─ 📜 jest.config.js JavaScript 16L · 409 B

├─ 📋 package.json JSON 60L · 1.3 KB

├─ 📝 README.md Markdown 436L · 12.2 KB

├─ 📋 skill.json JSON 213L · 6.4 KB

├─ 📝 SKILL.md Markdown 981L · 29.4 KB

└─ 📋 tsconfig.json JSON 21L · 524 B

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`onnxruntime-node`	`^1.17.0`	npm	否	ONNX runtime for local embedding generation. Version pinned to ^1.17.0.
`uuid`	`^9.0.0`	npm	否	Standard UUID generation for fact IDs.
`@totalreclaw/client`	`file:../client`	local	否	Local workspace dependency, not from registry. Assumed trusted.
`jest`	`^29.7.0`	npm	否	Dev dependency for testing.
`typescript`	`^5.3.0`	npm	否	Dev dependency for type checking.

安全亮点

✓ Strong E2EE: AES-256-GCM encryption with client-side key derivation (Argon2id), server never sees plaintext

✓ No credential exfiltration: The recovery phrase is used locally for key derivation only and never transmitted

✓ No shell execution: No subprocess, exec, or shell command invocations in production code

✓ No sensitive path access: Does not read ~/.ssh, ~/.aws, .env, or similar credential paths

✓ No reverse shell, C2, or data exfiltration patterns detected

✓ No eval(), no atob()-based execution, no base64-piped-to-shell patterns

✓ BIP-39 mnemonic format provides a recognizable security boundary (warning about crypto wallet phrases)

✓ Import function only reads user-specified paths declared in the tool call (file_path parameter)

✓ Content fingerprinting uses HMAC-SHA256 with dedup key, preventing server-side content fingerprinting

✓ Tombstone-based deletion with 30-day recovery window

✓ Comprehensive test suite (112 files, 37463 lines) with integration tests

✓ Open source MIT license, repository hosted on github.com/p-diogo/totalreclaw