Back to plugin

Security audit

KongBrain

Security checks across malware telemetry and agentic risk

Overview

KongBrain appears to be a real persistent-memory plugin, but it broadly stores and reuses conversation history and includes an unrelated agent handoff instruction, so it should be reviewed before installation.

Install only if you want a broad persistent memory layer for OpenClaw. Use a local, strongly protected SurrealDB instance, avoid secrets unless you can inspect and delete stored memories, be careful with external embedding providers, and verify or remove the unrelated .kongcode-handoff.json file before trusting the package.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:67
Evidence
const keyVal = process.env[keyName];

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/embeddings-openai.ts:35
Evidence
const keyVal = process.env[keyName];

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/chunk-XSIONAGJ.js:198
Evidence
authentication: { username: this.config.user, password: [REDACTED] }

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/surreal.ts:167
Evidence
authentication: { username: this.config.user, password: [REDACTED] },