Pluginv1.1.2

ClawScan security

Memory (MemoryLake) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 11:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, runtime instructions, and configuration requests are coherent with a MemoryLake-backed long‑term memory plugin — nothing requested is disproportionate — but it does inject prompts and can auto-upload conversation content and inbound files, so review privacy implications before enabling.
Guidance: This plugin is internally consistent with its purpose (a MemoryLake backend) but has real privacy implications: it will inject instructions into the agent's system prompt, automatically capture agent/user exchanges, and (if enabled) auto-upload inbound files to MemoryLake using the configured apiKey/projectId. Before installing: (1) only use a MemoryLake API key and project/projectId you trust; check key scopes and revoke if needed; (2) consider disabling autoUpload or autoCapture in the plugin config if you handle sensitive files or PII; (3) review the included scripts (skills/memorylake-upload/scripts/upload.mjs and install scripts) to confirm upload behavior and destination; (4) confirm the host value is correct (default is https://app.memorylake.ai) and do not change it to an untrusted endpoint; (5) if you want stricter control, require explicit agent approval before enabling the optional advanced_web_search or before allowing agent-invoked tools.
Findings: [system-prompt-override] expected: The SKILL.md and code intentionally inject retrieval instructions into the system prompt (Auto-Recall). The scanner flagged this pattern, but it matches the documented design: the plugin enforces a per-turn retrieve_context step by inserting instructions into the system prompt.

Review Dimensions

Purpose & Capability: okName/description (MemoryLake memory backend) align with what the code and SKILL.md do: register memory/document/search tools, auto-recall/capture/upload hooks, and a CLI. Required credentials (apiKey, projectId) are declared in the documentation/config and are appropriate for a remote memory backend.
Instruction Scope: noteThe SKILL.md explicitly describes injecting instructions into the system prompt (forcing the agent to call retrieve_context before replies), auto-capturing conversation exchanges, and auto-uploading inbound files. That behavior is expected for persistent-memory functionality, but it is intrusive: the plugin will rewrite/inject system-level instructions and will send conversation text and files to MemoryLake. Users should be aware this is part of the plugin's runtime behavior.
Install Mechanism: okThere is no remote download/install hook in the registry manifest — the repository contains local scripts (upload.mjs, install.sh) and plugin code which will run when the plugin is installed by OpenClaw. No external URLs or shorteners are used by the install process in the provided code. This is lower-risk than arbitrary remote executable downloads.
Credentials: okThe plugin requires an API key and project ID for MemoryLake (provided via plugin config/openclaw.json), and otherwise does not request unrelated credentials or secret environment variables. It reads OpenClaw config files (e.g., ~/.openclaw/openclaw.json) and may consult OPENCLAW_ROOT at runtime, which is reasonable for an OpenClaw plugin.
Persistence & Privilege: notealways is false (good). The plugin registers hooks that run automatically (autoRecall, autoCapture, autoUpload) and can run silently by default; this is expected for a memory plugin but increases privacy surface because conversation content and inbound files can be uploaded to an external service without additional explicit per-upload confirmation. The agent can also be allowed to call optional web-search tools if the operator enables them.