Plugin

End-to-end encrypted memory for AI agents — portable, yours forever. XChaCha20-Poly1305 E2EE: server never sees plaintext.

What to consider before installing: - Metadata mismatch: The registry declares no required env vars but the README/SKILL.md document a sensitive recovery phrase (TOTALRECLAW_RECOVERY_PHRASE) and server URL. Expect to provide/store a mnemonic and to allow the plugin to write to ~/.totalreclaw; this is normal for this kind of plugin but the registry should have declared it. Treat the absence of declared envs as a transparency issue. - Do NOT reuse an existing crypto wallet recovery phrase: the docs explicitly warn never to use a phrase tied to funds. If you install, generate a new dedicated phrase and store it offline—do not reuse any financial wallet seed. - Prompt-injection indicators: automated scanning found 'system-prompt-override' and 'base64-block' patterns in SKILL.md. Manually inspect the SKILL.md sections containing these patterns (or ask the publisher) before granting the plugin autonomous invocation — they may be benign but could also attempt to manipulate agent/system prompts. - Network endpoints & data flow: the included source makes authenticated requests to api.totalreclaw.xyz and writes encrypted blobs to the server. The design claims the server never sees plaintext, but if you do not trust the implementation you should audit the crypto code (crypto.ts, pair-crypto.ts, api-client.ts) to ensure keys are derived/used locally and no plaintext leakage occurs. Consider self-hosting the relay by setting TOTALRECLAW_SERVER_URL to a host you control if you plan to trust the system. - Run in an isolated environment first: because the bundle contains runnable code that writes to your home dir and registers pairing routes, try it in a VM or throwaway account first. Confirm it only writes under ~/.totalreclaw and does not read unrelated config files. - Code audit and provenance: the skill includes many source files and tests (good). If you cannot audit it yourself, prefer code from a known publisher or check for independent audits. Verify package signatures or upstream repository links if possible (homepage is provided). - If you proceed: (1) create a fresh recovery phrase solely for TotalReclaw, (2) do not export that phrase to any network or chat, (3) consider self-hosting the server or inspect requests to the default API endpoint, and (4) restrict the plugin's autonomous permissions until you are confident. If you want, I can point out exactly where SKILL.md contains the prompt-injection patterns or summarize the crypto-related files (crypto.ts, pair-crypto.ts, api-client.ts) to help focus a code review.

Type: OpenClaw Skill Name: totalreclaw-rc Version: 3.3.0-rc.6 The TotalReclaw skill provides an end-to-end encrypted memory vault for AI agents, using XChaCha20-Poly1305 and BIP-39 mnemonics for local key derivation. While the skill handles highly sensitive recovery phrases, it implements robust security measures to prevent leakage, such as moving phrase generation to a local CLI wizard (onboarding-cli.ts) and using ECDH-encrypted payloads for remote pairing (pair-http.ts). The code follows a strict isolation pattern (fs-helpers.ts) to separate disk I/O from network calls, specifically to satisfy OpenClaw's security scanner requirements. The intent is consistently aligned with its privacy-preserving purpose, and no evidence of malicious exfiltration or unauthorized control was found.