Pluginv1.0.0

ClawScan security

Smart Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 3, 2026, 10:00 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement a local memory manager consistent with its description; the only noteworthy risks are expected (optional Mem0 cloud syncing and automatic injection of recalled memories into the system prompt), but there are no incoherent or unexplained requirements.
Guidance: This plugin appears to do what it claims. Before installing, consider: (1) Data locality — memories are stored under ~/.openclaw/smart-memory; review and audit that directory if you have sensitive content. (2) Mem0 cloud — only enable/use Mem0 if you trust the service; MEM0_API_KEY is required for cloud extraction and will send conversation content to Mem0. (3) Prompt injection — the plugin injects recalled memories into the system prompt by default; if you are concerned about sensitive data or undesired behavior, disable autoExtract/autoMaintain or turn off prompt injection in configuration. (4) Autonomy — the plugin registers tools the agent can call; combined with auto-injection this increases impact if the agent is misused. (5) Review plugin source (included) before installing and consider running in a restricted environment or with Mem0 disabled. If you want lower risk, install but set extractionProvider: "local" and autoExtract/autoMaintain to false and avoid setting MEM0_API_KEY.
Findings: [system-prompt-override] expected: Static scan flagged prompt-injection patterns. This skill intentionally formats and injects recalled memories into the system prompt (documented in SKILL.md). That behaviour is expected for a memory plugin, but it is exactly the pattern scanners look for because it can be abused or leak sensitive content if enabled without caution.

Review Dimensions

Purpose & Capability: okName/description match implementation: extraction, LanceDB vector store, WAL, session state, consolidation, optional Mem0 cloud. Declared optional env var (MEM0_API_KEY) is the only credential and is justified by Mem0 integration. Declared dependency on node and npm packages (lancedb, mem0ai) is proportional to the feature set.
Instruction Scope: noteSKILL.md instructs the plugin to extract memories from conversations, persist to ~/.openclaw/smart-memory, and inject recalled memories into the system prompt by default. These behaviors are within the memory manager's stated scope but carry operational risks: automatic system-prompt injection can surface sensitive or irrelevant user content and change model behavior. The SKILL.md does not instruct any unrelated file reads or external endpoints beyond the configured model provider and optional Mem0.
Install Mechanism: okNo high-risk install (no arbitrary URL downloads); packaging is standard npm with package.json and package-lock.json. mem0ai is dynamically imported (used only if configured). All install sources referenced (npm, GitHub) are expected and proportional.
Credentials: okOnly optional environment variable is MEM0_API_KEY for cloud extraction — declared in openclaw.plugin.json and referenced in code. No other secrets or unrelated credentials are requested. The plugin stores data under ~/.openclaw/smart-memory (expected for local persistence).
Persistence & Privilege: noteThe plugin persists data locally and registers callable tools for agents. always is false. Default settings enable autoExtract and autoMaintain and default prompt injection; combined with autonomous skill invocation this increases the attack/impact surface if an agent is compromised or misconfigured. The persistence and privileges are coherent with a memory plugin, but users should be aware of the automatic injection behavior.