Pluginv1.0.8

ClawScan security

Finch Smart Memory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 12:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin appears to do what it says: a local smart-memory component using the host OpenClaw LLM provider, with an optional Mem0 cloud integration — nothing in the codebase is disproportionate to that purpose, but it persists conversation data locally and can optionally send data to Mem0 if you provide an API key, so review data-retention and the optional cloud integration before enabling.
Guidance: This plugin is coherent with its stated purpose, but it persistently stores conversation-derived memories locally (~/.openclaw/smart-memory) and can optionally send conversation data to Mem0 if you set MEM0_API_KEY. Before installing: - Understand persistence: check the dataDir, retention policy, and how to view/delete stored memories (the code saves chunks, daily logs, WAL entries). If you handle secrets or sensitive PII, consider disabling autoExtract/autoMaintain or increasing extraction thresholds. - Mem0 cloud: only set MEM0_API_KEY if you trust Mem0 and have read their privacy/retention policies — enabling it will transmit conversation content to an external managed service. - Prompt injection: the plugin will add recalled memories to the system prompt; this can cause older or sensitive content to be re-included in model context. If this concerns you, disable automatic injection or restrict maxRecallChunks/maxRecallTokens in the plugin config. - Review & audit: since the package includes full source, you (or your security team) can inspect storage, WAL, and mem0 integration code paths. If you want to limit exposure, set autoExtract=false and mem0 integration off, and periodically run memory_maintain or delete the plugin dataDir when done.
Findings: [system-prompt-override] expected: The skill explicitly injects memories into the system prompt (SKILL.md and code behavior). The pattern detected likely corresponds to intended plugin behavior, but it is a privacy-sensitive capability because it causes stored memories to be included in future prompts.

Review Dimensions

Purpose & Capability: okName/description match the code and runtime behavior. The code implements extraction, ANN/keyword hybrid search, tiers, WAL, session state, consolidation, and an optional Mem0 cloud integration. No unrelated credentials or unrelated binaries are requested. The only external credential referenced is MEM0_API_KEY and it is optional; LLM calls route through the injected OpenClaw provider (setLlmProvider).
Instruction Scope: noteSKILL.md and the code explicitly instruct the plugin to: extract memories from conversations, persist them under a data directory (~/.openclaw/smart-memory by default), inject selected memories into the system prompt at response time, and optionally call Mem0's API when MEM0_API_KEY/config is set. Injecting memories into the system prompt is expected for a memory plugin but is privacy-sensitive (it can cause sensitive user content to be repeatedly included in model prompts). The SKILL.md also includes a direct statement about 'Prompt injection — automatically injects relevant memories into the system prompt', which aligns with the code.
Install Mechanism: okThere is no external download/install spec in the manifest (no arbitrary remote URL fetch). The repository includes full source and built dist files; installation is via OpenClaw plugin install or npm, which is consistent with the package contents. No extract-from-unknown-URL installs were found.
Credentials: noteThe skill declares no required environment variables in the registry metadata; the code references an optional MEM0_API_KEY for the Mem0 cloud integration and will fall back to local extraction. Requesting (and using) MEM0_API_KEY is proportional if you opt into Mem0. The plugin writes data to the user's home directory (~/.openclaw/smart-memory) and persists conversation-derived information — this is expected but significant for privacy. No other unrelated keys or broad credentials are requested.
Persistence & Privilege: noteThe plugin persists memories (WAL, daily entries, stored chunks) in a dedicated dataDir under the user's home directory and registers tools for autonomous use. It does not request always:true or attempt to modify other plugins' configs. Autonomous invocation and system-prompt injection are normal for a memory plugin but increase blast radius for stored sensitive information. The optional Mem0 sync feature will transmit stored/derived memory data to Mem0 when an API key is configured.