中文 EN

扫描报告

扫描新文件

可信 — 风险评分 5/100
上次扫描:1 天前 重新扫描
5 /100
totalreclaw
End-to-end encrypted memory vault for AI agents with AES-256-GCM, BIP-39 key derivation, and on-chain (Gnosis) or centralized storage
TotalReclaw is a legitimate end-to-end encrypted AI memory plugin with no malicious behavior. The three pre-flagged 'base64 encoding' IOCs are all standard cryptographic operations (base64→hex ciphertext conversion and credential salt storage). No code execution, credential theft, data exfiltration, or hidden functionality was found.
技能名称totalreclaw
分析耗时158.6s
引擎pi
可以安装
Approve for use. The skill is well-structured with proper E2EE design. Minor note: consider pinning @totalreclaw/core to a specific version instead of ^0.1.0 for reproducibility.

安全发现 2 项

严重性 安全发现 位置
提示
Source enum mismatch between skill.json and SKILL.md 文档欺骗
skill.json source enum only lists ['mem0', 'mcp-memory'] but SKILL.md totalreclaw_import_from documentation also describes 'chatgpt', 'claude', 'memoclaw', 'generic-json', 'generic-csv' sources. The adapters directory contains chatgpt-adapter.ts and claude-adapter.ts that support these, but skill.json's enum doesn't include them. This is a minor documentation/schema inconsistency, not hidden malicious functionality.
"enum": ["mem0", "mcp-memory"]
→ Update skill.json source enum to include all supported adapters: ['mem0', 'mcp-memory', 'chatgpt', 'claude', 'memoclaw', 'generic-json', 'generic-csv']
 skill.json:75
提示
@totalreclaw/core is a local file: dependency 供应链
@totalreclaw/core (WASM crypto module for AES-256-GCM, BIP-39, HKDF, SHA-256) is referenced as file:../../rust/totalreclaw-core/pkg in package-lock.json. This local path cannot be audited from the registry and prevents reproducible builds from tarball installs.
"@totalreclaw/core": "file:../../rust/totalreclaw-core/pkg"
→ Publish @totalreclaw/core to npm with a fixed version, or document that source audit requires access to the rust/totalreclaw-core submodule
 package-lock.json:15
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 SKILL.md: credential storage (~/.totalreclaw/), billing cache, MEMORY.md header …
网络访问 READ READ ✓ 一致 SKILL.md: api.totalreclaw.xyz, Mem0 API, LLM provider APIs, Gnosis/Base Sepolia …
命令执行 NONE NONE No spawn/exec/bash invocations found in production code
环境变量 READ READ ✓ 一致 TOTALRECLAW_RECOVERY_PHRASE, TOTALRECLAW_SERVER_URL, TOTALRECLAW_SELF_HOSTED, TO…
技能调用 READ READ ✓ 一致 9 MCP tools registered: totalreclaw_remember, recall, forget, export, status, co…
剪贴板 NONE NONE No clipboard access found
浏览器 NONE NONE No browser automation found
数据库 NONE WRITE ✓ 一致 skill.json source enum only declares 'mem0' and 'mcp-memory', but SKILL.md also …
3 严重 1 高危 28 项发现
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(creds.salt, 'base64'
index.ts:366
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(b64, 'base64'
index.ts:724
🔒
严重 编码执行 Base64 编码执行(代码混淆)
Buffer.from(encryptedBase64, 'base64'
pocv2-e2e-test.ts:141
🔑
高危 API 密钥 疑似硬编码凭证
Password = 'pocv2-e2e-test-password-2026'
pocv2-e2e-test.ts:401
🔗
中危 外部 URL 外部 URL
https://clawhub.ai
CLAWHUB.md:3
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/skills/totalreclaw
CLAWHUB.md:10
🔗
中危 外部 URL 外部 URL
https://totalreclaw.xyz
CLAWHUB.md:67
🔗
中危 外部 URL 外部 URL
http://your-totalreclaw-server:8080
README.md:26
🔗
中危 外部 URL 外部 URL
http://127.0.0.1:8080
README.md:246
🔗
中危 外部 URL 外部 URL
http://your-server:8080
README.md:273
🔗
中危 外部 URL 外部 URL
https://www.npmjs.com/package/@totalreclaw/core
README.md:313
🔗
中危 外部 URL 外部 URL
https://totalreclaw.xyz/pricing
SKILL.md:221
🔗
中危 外部 URL 外部 URL
https://checkout.stripe.com/c/pay/...
SKILL.md:280
🔗
中危 外部 URL 外部 URL
https://api.totalreclaw.xyz
SKILL.md:877
🔗
中危 外部 URL 外部 URL
https://api.mem0.ai
import-adapters/mem0-adapter.ts:156
🔗
中危 外部 URL 外部 URL
https://api.z.ai/api/paas/v4
llm-client.ts:64
🔗
中危 外部 URL 外部 URL
https://api.mistral.ai/v1
llm-client.ts:69
🔗
中危 外部 URL 外部 URL
https://api.groq.com/openai/v1
llm-client.ts:70
🔗
中危 外部 URL 外部 URL
https://api.deepseek.com/v1
llm-client.ts:71
🔗
中危 外部 URL 外部 URL
https://openrouter.ai/api/v1
llm-client.ts:72
🔗
中危 外部 URL 外部 URL
https://api.x.ai/v1
llm-client.ts:73
🔗
中危 外部 URL 外部 URL
https://api.together.xyz/v1
llm-client.ts:74
🔗
中危 外部 URL 外部 URL
https://api.cerebras.ai/v1
llm-client.ts:75
🔗
中危 外部 URL 外部 URL
https://opencollective.com/libvips
package-lock.json:88
🔗
中危 外部 URL 外部 URL
https://paulmillr.com/funding/
package-lock.json:549
🔗
中危 外部 URL 外部 URL
https://www.npmjs.com/support
package-lock.json:750
💰
中危 钱包地址 加密货币钱包地址
0xC445af1D4EB9fce4e1E61fE96ea7B8feBF03c5ca
subgraph-store.ts:26
💰
中危 钱包地址 加密货币钱包地址
0x0000000071727De22E5E9d8BAf0edAc6f37da032
subgraph-store.ts:29

目录结构

38 文件 · 529.6 KB · 15214 行
TypeScript 30f · 12011L JSON 4f · 1633L Markdown 3f · 1551L Shell 1f · 19L
├─ 📁 import-adapters
│ ├─ 📜 base-adapter.ts TypeScript 92L · 2.6 KB
│ ├─ 📜 chatgpt-adapter.ts TypeScript 323L · 10.2 KB
│ ├─ 📜 claude-adapter.ts TypeScript 146L · 4.4 KB
│ ├─ 📜 import-adapters.test.ts TypeScript 1123L · 43.7 KB
│ ├─ 📜 index.ts TypeScript 28L · 1.1 KB
│ ├─ 📜 mcp-memory-adapter.ts TypeScript 276L · 7.9 KB
│ ├─ 📜 mem0-adapter.ts TypeScript 233L · 6.2 KB
│ └─ 📜 types.ts TypeScript 112L · 3.6 KB
├─ 📜 api-client.ts TypeScript 328L · 10.3 KB
├─ 📝 CLAWHUB.md Markdown 134L · 4.6 KB
├─ 📜 consolidation.test.ts TypeScript 356L · 12.1 KB
├─ 📜 consolidation.ts TypeScript 227L · 7.5 KB
├─ 📜 crypto.ts TypeScript 224L · 8.0 KB
├─ 📜 embedding.ts TypeScript 75L · 2.8 KB
├─ 📜 extractor-dedup.test.ts TypeScript 168L · 5.9 KB
├─ 📜 extractor.ts TypeScript 365L · 13.3 KB
├─ 📜 generate-mnemonic.ts TypeScript 14L · 573 B
├─ 📜 hot-cache-wrapper.ts TypeScript 126L · 4.3 KB
├─ 📜 index.ts TypeScript 3347L · 132.0 KB
├─ 📜 llm-client.ts TypeScript 418L · 12.8 KB
├─ 📜 lsh.test.ts TypeScript 463L · 15.7 KB
├─ 📜 lsh.ts TypeScript 66L · 1.7 KB
├─ 📋 openclaw.plugin.json JSON 26L · 681 B
├─ 📋 package-lock.json JSON 1353L · 47.5 KB
├─ 📋 package.json JSON 41L · 985 B
├─ 📜 pocv2-e2e-test.ts TypeScript 917L · 32.1 KB
├─ 📜 porter-stemmer.d.ts TypeScript 4L · 143 B
├─ 📝 README.md Markdown 436L · 12.2 KB
├─ 📜 reranker.test.ts TypeScript 594L · 20.7 KB
├─ 📜 reranker.ts TypeScript 537L · 18.1 KB
├─ 📜 semantic-dedup.test.ts TypeScript 392L · 13.5 KB
├─ 📜 semantic-dedup.ts TypeScript 100L · 3.4 KB
├─ 🔧 setup.sh Shell 19L · 531 B
├─ 📋 skill.json JSON 213L · 6.4 KB
├─ 📝 SKILL.md Markdown 981L · 29.4 KB
├─ 📜 store-dedup-wiring.test.ts TypeScript 186L · 7.7 KB
├─ 📜 subgraph-search.ts TypeScript 326L · 9.5 KB
└─ 📜 subgraph-store.ts TypeScript 445L · 15.5 KB

依赖分析 8 项

包名版本来源已知漏洞备注
@totalreclaw/core ^0.1.0 npm (file: local) WASM crypto module — local file: dependency, not registry-based
@huggingface/transformers ^3.8.1 npm ONNX inference for local embeddings
@noble/hashes ^2.0.1 npm Argon2id, HKDF, SHA-256
@scure/bip39 ^2.0.1 npm BIP-39 mnemonic validation
permissionless ^0.3.4 npm ERC-4337 UserOp bundler client
viem ^2.46.3 npm Ethereum Viem library
porter-stemmer ^0.9.1 npm Text stemming for blind index tokenization
tslib ^2.8.1 npm TypeScript runtime library

安全亮点

✓ No eval(), exec(), spawn(), or dynamic code execution found in any production TypeScript file
✓ No atob(), fromCharCode() abuse, or obfuscated payload execution
✓ No curl|bash or wget|sh remote script execution patterns
✓ No access to ~/.ssh, ~/.aws, ~/.env, or other sensitive host paths
✓ AES-256-GCM encryption is correctly implemented with IV, auth tag, and proper key derivation (BIP-39 + HKDF or Argon2id fallback)
✓ Credentials are never exfiltrated — the auth key hash sent to the server is one-way (SHA-256), the actual key never leaves the client
✓ Embedding generation runs locally via @huggingface/transformers (ONNX) — no plaintext data sent to embedding APIs
✓ All 9 tool names, parameters, and behaviors are fully documented in SKILL.md
✓ Lifecycle hooks (before_agent_start, agent_end, pre_compaction, before_reset) are declared in skill.json
✓ Import adapters only access user-specified file paths or API keys passed as explicit parameters (dry_run defaults to false, api_key used once, never stored)
✓ Billing cache is local-only with TTL and used for quota warnings only
✓ Credential file (~/.totalreclaw/credentials.json) uses base64 encoding for transport, not for obfuscation — this is standard for binary-in-JSON
✓ Blockchain submission uses ERC-4337 UserOps via Pimlico relay (accounts abstraction) — no private keys sent to relay, only signed UserOps