totalreclaw Security Report — Trusted | ClawSafe

5 /100

totalreclaw

End-to-end encrypted memory vault for AI agents with AES-256-GCM, BIP-39 key derivation, and on-chain (Gnosis) or centralized storage

TotalReclaw is a legitimate end-to-end encrypted AI memory plugin with no malicious behavior. The three pre-flagged 'base64 encoding' IOCs are all standard cryptographic operations (base64→hex ciphertext conversion and credential salt storage). No code execution, credential theft, data exfiltration, or hidden functionality was found.

Skill Nametotalreclaw

Duration158.6s

Enginepi

✓

Safe to install

Approve for use. The skill is well-structured with proper E2EE design. Minor note: consider pinning @totalreclaw/core to a specific version instead of ^0.1.0 for reproducibility.

Findings 2 items

Severity	Finding	Location
Info	Source enum mismatch between skill.json and SKILL.md Doc Mismatch skill.json source enum only lists ['mem0', 'mcp-memory'] but SKILL.md totalreclaw_import_from documentation also describes 'chatgpt', 'claude', 'memoclaw', 'generic-json', 'generic-csv' sources. The adapters directory contains chatgpt-adapter.ts and claude-adapter.ts that support these, but skill.json's enum doesn't include them. This is a minor documentation/schema inconsistency, not hidden malicious functionality. `"enum": ["mem0", "mcp-memory"]` → Update skill.json source enum to include all supported adapters: ['mem0', 'mcp-memory', 'chatgpt', 'claude', 'memoclaw', 'generic-json', 'generic-csv']	`skill.json:75`
Info	@totalreclaw/core is a local file: dependency Supply Chain @totalreclaw/core (WASM crypto module for AES-256-GCM, BIP-39, HKDF, SHA-256) is referenced as file:../../rust/totalreclaw-core/pkg in package-lock.json. This local path cannot be audited from the registry and prevents reproducible builds from tarball installs. `"@totalreclaw/core": "file:../../rust/totalreclaw-core/pkg"` → Publish @totalreclaw/core to npm with a fixed version, or document that source audit requires access to the rust/totalreclaw-core submodule	`package-lock.json:15`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: credential storage (~/.totalreclaw/), billing cache, MEMORY.md header …
Network	`READ`	`READ`	✓ Aligned	SKILL.md: api.totalreclaw.xyz, Mem0 API, LLM provider APIs, Gnosis/Base Sepolia …
Shell	`NONE`	`NONE`	—	No spawn/exec/bash invocations found in production code
Environment	`READ`	`READ`	✓ Aligned	TOTALRECLAW_RECOVERY_PHRASE, TOTALRECLAW_SERVER_URL, TOTALRECLAW_SELF_HOSTED, TO…
Skill Invoke	`READ`	`READ`	✓ Aligned	9 MCP tools registered: totalreclaw_remember, recall, forget, export, status, co…
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`WRITE`	✓ Aligned	skill.json source enum only declares 'mem0' and 'mcp-memory', but SKILL.md also …

3 Critical 1 High 28 findings

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(creds.salt, 'base64'

index.ts:366

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(b64, 'base64'

index.ts:724

🔒

Critical Encoded Execution Base64 编码执行（代码混淆）

Buffer.from(encryptedBase64, 'base64'

pocv2-e2e-test.ts:141

🔑

High API Key 疑似硬编码凭证

Password = 'pocv2-e2e-test-password-2026'

pocv2-e2e-test.ts:401

🔗

Medium External URL 外部 URL

https://clawhub.ai

CLAWHUB.md:3

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/totalreclaw

CLAWHUB.md:10

🔗

Medium External URL 外部 URL

https://totalreclaw.xyz

CLAWHUB.md:67

🔗

Medium External URL 外部 URL

http://your-totalreclaw-server:8080

README.md:26

🔗

Medium External URL 外部 URL

http://127.0.0.1:8080

README.md:246

🔗

Medium External URL 外部 URL

http://your-server:8080

README.md:273

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/@totalreclaw/core

README.md:313

🔗

Medium External URL 外部 URL

https://totalreclaw.xyz/pricing

SKILL.md:221

🔗

Medium External URL 外部 URL

https://checkout.stripe.com/c/pay/...

SKILL.md:280

🔗

Medium External URL 外部 URL

https://api.totalreclaw.xyz

SKILL.md:877

🔗

Medium External URL 外部 URL

https://api.mem0.ai

import-adapters/mem0-adapter.ts:156

🔗

Medium External URL 外部 URL

https://api.z.ai/api/paas/v4

llm-client.ts:64

🔗

Medium External URL 外部 URL

https://api.mistral.ai/v1

llm-client.ts:69

🔗

Medium External URL 外部 URL

https://api.groq.com/openai/v1

llm-client.ts:70

🔗

Medium External URL 外部 URL

https://api.deepseek.com/v1

llm-client.ts:71

🔗

Medium External URL 外部 URL

https://openrouter.ai/api/v1

llm-client.ts:72

🔗

Medium External URL 外部 URL

https://api.x.ai/v1

llm-client.ts:73

🔗

Medium External URL 外部 URL

https://api.together.xyz/v1

llm-client.ts:74

🔗

Medium External URL 外部 URL

https://api.cerebras.ai/v1

llm-client.ts:75

🔗

Medium External URL 外部 URL

https://opencollective.com/libvips

package-lock.json:88

🔗

Medium External URL 外部 URL

https://paulmillr.com/funding/

package-lock.json:549

🔗

Medium External URL 外部 URL

https://www.npmjs.com/support

package-lock.json:750

💰

Medium Wallet Address 加密货币钱包地址

0xC445af1D4EB9fce4e1E61fE96ea7B8feBF03c5ca

subgraph-store.ts:26

💰

Medium Wallet Address 加密货币钱包地址

0x0000000071727De22E5E9d8BAf0edAc6f37da032

subgraph-store.ts:29

File Tree

38 files · 529.6 KB · 15214 lines

TypeScript 30f · 12011L JSON 4f · 1633L Markdown 3f · 1551L Shell 1f · 19L

├─ ▾ 📁 import-adapters

│ ├─ 📜 base-adapter.ts TypeScript 92L · 2.6 KB

│ ├─ 📜 chatgpt-adapter.ts TypeScript 323L · 10.2 KB

│ ├─ 📜 claude-adapter.ts TypeScript 146L · 4.4 KB

│ ├─ 📜 import-adapters.test.ts TypeScript 1123L · 43.7 KB

│ ├─ 📜 index.ts TypeScript 28L · 1.1 KB

│ ├─ 📜 mcp-memory-adapter.ts TypeScript 276L · 7.9 KB

│ ├─ 📜 mem0-adapter.ts TypeScript 233L · 6.2 KB

│ └─ 📜 types.ts TypeScript 112L · 3.6 KB

├─ 📜 api-client.ts TypeScript 328L · 10.3 KB

├─ 📝 CLAWHUB.md Markdown 134L · 4.6 KB

├─ 📜 consolidation.test.ts TypeScript 356L · 12.1 KB

├─ 📜 consolidation.ts TypeScript 227L · 7.5 KB

├─ 📜 crypto.ts TypeScript 224L · 8.0 KB

├─ 📜 embedding.ts TypeScript 75L · 2.8 KB

├─ 📜 extractor-dedup.test.ts TypeScript 168L · 5.9 KB

├─ 📜 extractor.ts TypeScript 365L · 13.3 KB

├─ 📜 generate-mnemonic.ts TypeScript 14L · 573 B

├─ 📜 hot-cache-wrapper.ts TypeScript 126L · 4.3 KB

├─ 📜 index.ts TypeScript 3347L · 132.0 KB

├─ 📜 llm-client.ts TypeScript 418L · 12.8 KB

├─ 📜 lsh.test.ts TypeScript 463L · 15.7 KB

├─ 📜 lsh.ts TypeScript 66L · 1.7 KB

├─ 📋 openclaw.plugin.json JSON 26L · 681 B

├─ 📋 package-lock.json JSON 1353L · 47.5 KB

├─ 📋 package.json JSON 41L · 985 B

├─ 📜 pocv2-e2e-test.ts TypeScript 917L · 32.1 KB

├─ 📜 porter-stemmer.d.ts TypeScript 4L · 143 B

├─ 📝 README.md Markdown 436L · 12.2 KB

├─ 📜 reranker.test.ts TypeScript 594L · 20.7 KB

├─ 📜 reranker.ts TypeScript 537L · 18.1 KB

├─ 📜 semantic-dedup.test.ts TypeScript 392L · 13.5 KB

├─ 📜 semantic-dedup.ts TypeScript 100L · 3.4 KB

├─ 🔧 setup.sh Shell 19L · 531 B

├─ 📋 skill.json JSON 213L · 6.4 KB

├─ 📝 SKILL.md Markdown 981L · 29.4 KB

├─ 📜 store-dedup-wiring.test.ts TypeScript 186L · 7.7 KB

├─ 📜 subgraph-search.ts TypeScript 326L · 9.5 KB

└─ 📜 subgraph-store.ts TypeScript 445L · 15.5 KB

Dependencies 8 items

Package	Version	Source	Known Vulns	Notes
`@totalreclaw/core`	`^0.1.0`	npm (file: local)	No	WASM crypto module — local file: dependency, not registry-based
`@huggingface/transformers`	`^3.8.1`	npm	No	ONNX inference for local embeddings
`@noble/hashes`	`^2.0.1`	npm	No	Argon2id, HKDF, SHA-256
`@scure/bip39`	`^2.0.1`	npm	No	BIP-39 mnemonic validation
`permissionless`	`^0.3.4`	npm	No	ERC-4337 UserOp bundler client
`viem`	`^2.46.3`	npm	No	Ethereum Viem library
`porter-stemmer`	`^0.9.1`	npm	No	Text stemming for blind index tokenization
`tslib`	`^2.8.1`	npm	No	TypeScript runtime library

Security Positives

✓ No eval(), exec(), spawn(), or dynamic code execution found in any production TypeScript file

✓ No atob(), fromCharCode() abuse, or obfuscated payload execution

✓ No curl|bash or wget|sh remote script execution patterns

✓ No access to ~/.ssh, ~/.aws, ~/.env, or other sensitive host paths

✓ AES-256-GCM encryption is correctly implemented with IV, auth tag, and proper key derivation (BIP-39 + HKDF or Argon2id fallback)

✓ Credentials are never exfiltrated — the auth key hash sent to the server is one-way (SHA-256), the actual key never leaves the client

✓ Embedding generation runs locally via @huggingface/transformers (ONNX) — no plaintext data sent to embedding APIs

✓ All 9 tool names, parameters, and behaviors are fully documented in SKILL.md

✓ Lifecycle hooks (before_agent_start, agent_end, pre_compaction, before_reset) are declared in skill.json

✓ Import adapters only access user-specified file paths or API keys passed as explicit parameters (dry_run defaults to false, api_key used once, never stored)

✓ Billing cache is local-only with TTL and used for quota warnings only

✓ Credential file (~/.totalreclaw/credentials.json) uses base64 encoding for transport, not for obfuscation — this is standard for binary-in-JSON

✓ Blockchain submission uses ERC-4337 UserOps via Pimlico relay (accounts abstraction) — no private keys sent to relay, only signed UserOps

Scan Report

Findings 2 items

File Tree

Dependencies 8 items

Security Positives