Pluginv2.1.1

ClawScan security

Gralkor Memory (OpenClaw) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 10:22 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code, instructions, and requirements align with a memory plugin that spawns a bundled Python memory server and forwards conversation data to it — nothing in the package appears to be doing unrelated or covert work, but it depends on a bundled server in a separate package and requires LLM API keys so you should review that server before enabling.
Guidance: What to consider before installing: - This plugin spawns a Python memory server (bundled in @susu-eng/gralkor-ts) that will receive conversation content and your workspace memory files. That server will in turn call external LLM/embedding providers using API keys you provide. Review the gralkor-ts adapter and the Gralkor Python server source (linked from SKILL.md) before enabling. - The plugin requires a writable dataDir where it creates a venv and FalkorDB; choose a dedicated directory with appropriate permissions and backups. - Provide LLM/embedding API keys with least privilege (use a dedicated key/account for this service if possible), and be aware that conversation content and indexed files may be sent to those provider endpoints. - The README asks you to install with --dangerously-force-unsafe-install because the install-time scanner flags the bundled server. That flag bypasses install-time protections; only use it after you have inspected the server source and are comfortable with running it. - If you cannot audit the gralkor-ts and Gralkor server code, consider running this plugin in an isolated environment (container or VM) or using an alternative memory provider you trust. I have medium confidence in this assessment because the plugin's own code is consistent with its description, but important runtime behavior (the Python server) resides in a separate bundled dependency that you should review before enabling.
Findings: [pre-scan-injection-none] expected: The static pre-scan reported no injection signals. The package contains many dist/*.js files and hooks that call a bundled Python server via a dependency; absence of regex findings is not proof of safety and the SKILL.md explicitly warns the install-time scanner flags the bundled server as critical.

Review Dimensions

Purpose & Capability: okThe package implements an OpenClaw memory plugin: it registers hooks and tools, scans workspace memory files, captures turns and forwards them to a Gralkor HTTP server, and requires a persistent dataDir and LLM API keys for the server. Those requirements are coherent with the stated purpose.
Instruction Scope: noteRuntime instructions and code register before_prompt_build, agent_end, and session_end hooks and two tools (memory_search, memory_add). The plugin scans workspace files (MEMORY.md, memory/*.md) and sends captured conversation content to the Gralkor HTTP server. This is expected for a memory plugin, but it does mean user messages and local workspace content are forwarded into the server (and then to external LLM providers depending on config).
Install Mechanism: noteThere is no special install spec in the registry, but the SKILL.md requires installing via openclaw plugins install with --dangerously-force-unsafe-install because the plugin spawns a Python server contained in the @susu-eng/gralkor-ts dependency. The package includes compiled JS and wiring code; the high-risk piece is the bundled Python server in the dependency — the README explicitly warns the install-time scanner flags it. This is explainable (bundled server needed) but raises audit importance.
Credentials: noteThe registry metadata lists no required env vars, but the plugin expects LLM/embedding keys (googleApiKey/openaiApiKey/anthropicApiKey/groqApiKey) via plugin config or host gateway env. Those keys are necessary for the server's LLM/embedding calls and are proportionate to a memory plugin, but the absence of declared required credentials in registry metadata is a mild inconsistency to be aware of.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills. It will create a venv and database under the configured dataDir (expected for a local server). It registers a server service so the Python server is supervised by OpenClaw; this is normal for this type of plugin.