Pluginv0.6.7

ClawScan security

🧠 Supermemory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 7, 2026, 2:29 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code, instructions, and configuration are consistent with a local graph-based memory plugin; no evidence it is trying to do something unrelated, but there are a few privacy/attention items you should review before enabling cloud embeddings or auto-capture.
Guidance: What to consider before installing: - This plugin appears to be what it claims: a local SQLite-based memory system for OpenClaw. The main risks are privacy and data leakage, not hidden malicious behavior. - If you enable embeddings with a cloud provider (OpenAI, Gemini, etc.), your conversation text and/or derived embeddings will be sent to that provider. If you need stronger privacy, either disable embeddings (embedding.enabled: false) or use a local embedding provider (e.g., Ollama or another local endpoint) and avoid entering cloud API keys. - Auto-capture and auto-recall are convenient but cause the plugin to automatically process and store conversation turns. If you have sensitive conversations, disable auto-capture or auto-recall and use manual /remember and /recall commands. - The configure flow will read and write your OpenClaw config (~/.openclaw/openclaw.json) and the plugin will create a DB under ~/.openclaw by default. Back up any existing config before making changes if you are cautious. - The code will attempt to load a sqlite vector extension (sqlite-vec) when embeddings are enabled; loading external SQLite extensions can execute native code if present on the host. This is expected for vector search but be mindful of the host environment and only enable embeddings if you trust installed extensions or run local providers. - Because a prompt-injection pattern was flagged in the SKILL.md, scan the full (non-truncated) SKILL.md and the code for any instructions that attempt to modify model/system prompts, or otherwise manipulate agent/system behavior beyond memory retrieval. If you are not comfortable auditing, consider disabling auto-capture and embeddings, then test the plugin in a controlled environment. - Overall: reasonable and coherent for its purpose. Use local embedding providers or disable embeddings to minimize external data exposure, and be mindful of auto-capture settings.
Findings: [system-prompt-override] unexpected: A prompt-injection pattern was detected in the SKILL.md pre-scan. The visible SKILL.md content included here does not obviously contain system-prompt override instructions, so this may be a false positive or located in truncated sections. Still, because this plugin injects memories into prompts and runs an LLM subagent for extraction, review the full SKILL.md and any omitted text for lines that attempt to override system prompts or change model/system instructions.

Review Dimensions

Purpose & Capability: okName/description match the code and SKILL.md: this is a local memory plugin that persists a SQLite knowledge graph, extracts entities, runs background maintenance, and supports hybrid retrieval and embeddings. The files, CLI commands, and configuration schema align with that purpose. Nothing requests unrelated credentials or services beyond embedding providers (which is expected).
Instruction Scope: noteRuntime instructions and the CLI configure flow read/write your OpenClaw config (~/.openclaw/openclaw.json), create/erase the plugin DB, register slash commands, and optionally auto-capture conversation turns and auto-inject memories into prompts. Those actions are appropriate for a memory plugin, but auto-capture + auto-recall means conversational content will be processed and (if embeddings enabled with a cloud provider) may be sent to that embedding provider. A prompt-injection pattern (system-prompt-override) was flagged in the SKILL.md pre-scan; the visible SKILL.md content appears normal, but review any truncated portions for instructions that could try to manipulate model/system prompts.
Install Mechanism: okNo install spec is provided (instruction-only), so nothing is automatically downloaded or executed by the installer. The package includes source files intended to run inside OpenClaw; there is no remote URL, shortener, or extract step in the manifest. This is lower install risk.
Credentials: noteThe plugin declares no required environment variables by default. It supports embedding.apiKey and baseUrl in config and accepts ${ENV_VAR} substitution; using cloud embedding providers therefore requires you to supply (optionally via env var) an API key. That is proportional to the stated functionality but is the primary privacy/exfiltration risk: enabling embeddings with a cloud provider will transmit data (texts/embeddings) to that provider. The plugin otherwise confines data to a user DB path under your home directory.
Persistence & Privilege: okThe skill is not always:true and is user-invocable. It persists its own database under ~/.openclaw (default) and writes the plugin entry into OpenClaw's config via the interactive configure step. These are expected for a plugin that manages local memory. Autonomous invocation is allowed (default) — appropriate for a memory plugin — but combined with cloud embeddings means the agent could automatically send conversation content to the configured embedding provider unless you disable auto-capture or choose a local provider.