Pluginv0.8.0

ClawScan security

Memory Layer 记忆分层 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 10:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, runtime instructions, and requested resources are consistent with its stated purpose (per-user layered memory for multi-user OpenClaw agents); no unexpected network or credential access was found — review configuration (especially sharedFilePath) and test in a controlled environment before production use.
Guidance: This plugin appears to do what it claims: isolate per-user memory by reading/writing files in the agent workspace. Before installing: 1) Review and pin the source (GitHub repo) and verify you trust the maintainer. 2) Install in a staging environment and run the recommended tests in ARCHITECTURE.md to confirm isolation. 3) Carefully configure sharedFilePath (avoid pointing it at sensitive absolute paths) and set filesystem permissions so the plugin can only access intended directories. 4) Keep session-memory disabled as advised to avoid competing writes. 5) If you operate in a multi-tenant or sensitive environment, audit the plugin code yourself (it’s small and file-based) and consider running the agent in a sandboxed container or with least-privilege filesystem mounts.

Review Dimensions

Purpose & Capability: okName/description describe a multi-user layered memory plugin and the code + SKILL.md implement filesystem-based layered memory, prompt injection, hooks, and redirection of legacy memory paths. Required env vars/binaries/credentials are none, which matches the filesystem-based plugin purpose.
Instruction Scope: okSKILL.md only documents installing the plugin, configuration, and expected behavior (disabling session-memory, configuration options, usage). It does not instruct the agent to read unrelated system files, exfiltrate data, or call external endpoints. The runtime behavior (in code) is limited to reading/writing files under the agent workspace and handling OpenClaw hook events — consistent with the stated scope.
Install Mechanism: okNo install spec that downloads or executes arbitrary remote archives. The package is distributed as a normal NPM/ClawHub plugin and the package.json lists only local files. Risk from install mechanism is low.
Credentials: noteThe plugin requests no environment variables or credentials. It reads and writes files in the agent workspace by default (baseDir .memory-layer). One configuration option (sharedFilePath) allows setting an absolute path for a shared memory file — this is a legitimate feature for cross-agent sharing but can be abused if set to arbitrary filesystem paths (it would grant the plugin read/write access to that location). Ensure sharedFilePath is set only to intended, permissioned locations.
Persistence & Privilege: okalways is false and the plugin registers hooks (normal for this capability). It can be invoked autonomously by the agent via hooks (expected). No evidence the plugin modifies other plugins' config or requests permanent elevated system-wide privileges.