Pluginv1.0.0

ClawScan security

OpenClaw Memory System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 28, 2026, 10:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin appears to implement the advertised local memory/indexing features, but there are several implementation inconsistencies and unsafe patterns (notably a Python -c shell interpolation that can lead to code injection and a Node handler using Bun.write) that warrant caution before installing.
Guidance: This plugin generally implements the advertised local memory features and does not request external credentials. However, before installing or enabling it, consider the following: - Code-injection risk: memory-hook.sh embeds the task text into an inline python -c command without proper escaping. If an agent or user supplies a specially crafted task string, it could lead to execution of arbitrary Python code on your machine. Ask the author to remove inline -c embedding or to pass task text as a safely quoted argument (e.g., via argv or reading from a temp file) and to properly sanitize inputs. - Runtime mismatch / bug: index.ts uses Bun.write when writing temp files. Bun is not part of standard Node.js; this will fail unless the host runtime is Bun. Confirm the intended runtime or that this code path is safe in your environment. - Audit I/O: the plugin will create and modify files under ~/.openclaw/workspace-dev and write to /tmp. If you rely on sensitive files under that path, review file paths and contents the plugin will index before enabling it. - Sandbox/testing: run the plugin in an isolated/dev environment (not on a production machine) first. Inspect the scripts and test with benign inputs. Consider patching memory-hook.sh to avoid python -c interpolation and to use argument-based subprocess calls. - If you need high assurance: request upstream fixes for the interpolation vulnerability and the Bun usage, or prefer a memory plugin that passes user-supplied text via argv or secure temporary files rather than embedding into code strings. Given these specific implementation issues, treat the package as suspicious until the identified problems are fixed.

Review Dimensions

Purpose & Capability: noteThe name/description match what the files implement: local file-backed memory, keyword index, BM25 search, DAG linking, and lifecycle hooks under ~/.openclaw/workspace-dev. Reaching into the user's home workspace and creating memory files is expected for this purpose. One incoherence: the TypeScript plugin uses Bun.write to write temp files in a Node tool handler — Bun is a different runtime and not available in standard Node.js, which suggests either a runtime mismatch or a bug in the implementation (not a credential or permission mismatch).
Instruction Scope: concernSKILL.md and the scripts instruct the agent to run local Python and bash scripts that read and write files under the OpenClaw workspace and /tmp (expected). However, memory-hook.sh embeds the task string directly into an inline python -c script via shell interpolation (task_s = '''$task'''). That construct can allow crafted task strings to break out of the Python string or otherwise cause code execution or unexpected behavior. Because the skill is intended for agent invocation, an agent (or user-supplied input) could supply a maliciously crafted task to trigger arbitrary code execution. Other runtime ops (spawnSync/exec) are used correctly with argument arrays in most places, which is safer.
Install Mechanism: okNo external install/downloads or remote archives are used; this is essentially an instruction-only plugin with included scripts. Files are local in the package, so there is no high-risk network download in the install spec. That said, the package includes compiled .pyc files and many scripts are written to execute on the host.
Credentials: okThe skill declares no required credentials or external services. The scripts optionally read AGENT_ID and WORKSPACE_ROOT and use HOME to locate the workspace — these are appropriate for a local memory plugin. There are no requests for unrelated secrets or cloud credentials.
Persistence & Privilege: notealways is false and the skill registers tools (expected). Autonomous invocation is allowed (platform default). Combined with the instruction-scope concern (code injection via crafted task strings), autonomous invocation increases the attack surface because the platform could call the plugin with attacker-controllable input. The skill does write files under the user's workspace and /tmp (expected for a memory plugin).