Back to plugin
Pluginv0.1.0
ClawScan security
ClawXMemory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 8:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This package is internally consistent with being a local memory plugin: it requires only local config, exposes a local read-only dashboard and diagnostic scripts that read the plugin's SQLite DB, and does not request unrelated credentials or installs.
- Guidance
- This plugin appears to do what it says: local-first memory with an optional dashboard and diagnostic scripts that read the plugin's SQLite DB. Before installing, consider: 1) Enabling allowPromptInjection is required for this plugin to inject memory into prompts — only enable it if you trust the plugin and understand that it bypasses OpenClaw's prompt-injection block for the memory slot. 2) The dashboard listens on a local port (39393 by default); confirm uiHost is bound to localhost and the port is not exposed to untrusted networks. 3) Diagnostic scripts will read the SQLite DB (default ~/.openclaw/clawxmemory/memory.sqlite); ensure filesystem permissions meet your security requirements. 4) Verify the package source on the registry (package contents and the published tarball) before installing to ensure no unexpected code is introduced. If you want lower risk, disable the UI and avoid running the optional debug/repair scripts unless needed.
Review Dimensions
- Purpose & Capability
- okThe name/description (multi-level local memory + UI) match the provided artifacts: openclaw.plugin.json, README, and SKILL.md files that describe capturing L0/L1/L2 memories, local SQLite storage, and a local dashboard. The settings (dbPath, uiHost/uiPort, uiEnabled) are appropriate for a memory plugin.
- Instruction Scope
- noteRuntime instructions focus on installing/enabling the plugin, configuring it in OpenClaw, running memory tools (memory_search, memory_get, memory_overview, memory_flush) and occasional node diagnostic scripts that read the local SQLite DB (default ~/.openclaw/clawxmemory/memory.sqlite). These actions are consistent with the stated purpose, but require access to local files and the OpenClaw plugin config and instruct enabling allowPromptInjection (see persistence_privilege). The skill does not instruct exfiltration or network callbacks beyond serving a local UI, but diagnostic scripts and the dashboard will read local state.
- Install Mechanism
- okThere is no install spec in the skill bundle (instruction-only). The README/SKILL.md recommend installing via the OpenClaw plugin system (openclaw plugins install), which is the expected mechanism. No arbitrary remote download URLs or extract steps are present in the provided files.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths beyond OpenClaw plugin config entries. The package-lock lists many transitive dependencies (including some cloud/model SDKs) likely pulled in from dev or peer deps, but the runtime instructions and plugin config do not request cloud credentials — so the declared environment access is proportionate to a local memory plugin.
- Persistence & Privilege
- noteThe skill does not set always:true and is user-invocable. However the install/config guidance requires enabling plugins.entries.clawxmemory.hooks.allowPromptInjection: true so the plugin can inject memory during before_prompt_build; enabling this hook weakens prompt-injection protections for the memory slot (this is necessary for memory injection but is a security-relevant configuration change). The plugin runs a local dashboard (default port 39393) and diagnostic scripts that read the plugin's SQLite file; these are reasonable for a memory plugin but warrant attention to host binding and DB file access controls.