Pluginv1.0.11

ClawScan security

Mem0 Plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 5:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and README mostly match a memory-backend purpose, but the package metadata and runtime instructions disagree about what secrets/config are required and the SKILL.md contains a prompt-injection pattern — review before installing or giving keys.
Guidance: What to check before installing: - Confirm origin: the source points to mem0ai/mem0. Verify you trust that repository and review its openclaw.plugin.json / dist entry before enabling. - Secrets: the metadata claims no env vars but the README and code require keys (MEM0_API_KEY for Mem0 cloud; OPENAI_API_KEY or other provider keys for open-source defaults; OSS vector DB creds). Only provide keys you trust to this plugin; prefer self-hosted mode if you don't want data sent to mem0.ai or OpenAI. - Data flow: using Mem0 cloud or default OpenAI models will send conversation text and extracted facts to external services. If you need privacy, use the OSS mode with local Ollama/Qdrant/PGVector. - Prompt injection: the skill injects long system prompts (triage/recall rules). Inspect SKILL.md and any merged domain overlays to ensure no unexpected instructions (for example, rules that encourage sending unrelated secrets to the backend). - Installation mechanism: the package contains compiled JS and an npm lock. Confirm how OpenClaw installs and runs this plugin (it will execute shipped code). If you want a minimal attack surface, pin to a reviewed release/tag or run the plugin in a sandboxed environment. - Ask the publisher or registry maintainer to fix the metadata (declare required env vars and any install steps) so you can make an informed consent decision. If you want, I can: (1) scan the remaining files for network calls or hidden endpoints that exfiltrate data, (2) extract the exact places SKILL.md will inject into the agent system prompt, or (3) produce a short checklist for safe configuration (self-hosting switches, env var placement, restricting outbound network).
Findings: [system-prompt-override] expected: Memory/back-end skills commonly inject system-level prompt text (triage/recall instructions) so a 'system prompt override' pattern can be expected. Still, this is exactly the type of content that could manipulate agent behavior — review SKILL.md and loaded prompts to ensure no unexpected or overly-broad instructions are present.

Review Dimensions

Purpose & Capability: concernName/description say 'Mem0 memory backend'. The included code and SKILL.md show this is accurate (cloud backend + self-hosted modes, local SQLite, OpenAI/Ollama/Anthropic/Qdrant/PGVector support). However the registry metadata claims 'required env vars: none' while the SKILL.md and code clearly require or accept API keys (MEM0 API key for cloud, OPENAI_API_KEY or other provider keys for OSS mode). That mismatch is unexpected and disproportionate.
Instruction Scope: concernSKILL.md instructs the agent/administrator to run 'openclaw mem0 init' and to pass API keys and provider URLs/credentials (oss-llm-key, oss-embedder-key, oss-vector-password, MEM0_API_KEY). It also contains content that the static scanner flagged as a 'system-prompt-override' pattern (the skill text is intended to be injected into the agent's system prompt to control triage/recall behavior). While that is normal for a memory skill, it's a prompt-injection surface that should be reviewed because it grants the skill authority to shape agent behavior and could be abused if the skill were malicious or compromised.
Install Mechanism: noteRegistry shows no install spec (instruction-only), but the package includes a full source/dist tree and pnpm-lock/package.json entries. That inconsistency is notable: this is a packaged plugin (with npm dependencies) and not purely an instruction-only SKILL.md. There are no suspicious external download URLs in the manifest shown; dependencies are typical npm packages. Still, confirm how the OpenClaw CLI will install/run this code (it will execute shipped JS), and review the shipped dist/entry points before installation.
Credentials: concernFunctionality legitimately requires credentials when using the cloud (MEM0_API_KEY) or default OSS LLM/embedder providers (OPENAI_API_KEY, provider-specific keys). The skill metadata advertises 'none' for required env vars, which is incorrect and could mislead users into exposing keys later. The number and kinds of secrets (LLM keys, embedder keys, vector DB credentials) are proportional to a memory backend, but the metadata should declare them explicitly.
Persistence & Privilege: okalways:false (not force-enabled) and the skill does not request system-wide privileges in the manifest. The code writes state under a plugin-owned stateDir (e.g., ~/.mem0) and exposes a public-artifacts provider for other plugins — this is expected for a memory backend. Autonomous invocation (disable-model-invocation:false) is the platform default; combine that with the prompt-injection pattern and cloud data flows when evaluating risk.