Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- dist/index.js:67
- Evidence
const keyVal = process.env[keyName];
Security audit
Security checks across malware telemetry and agentic risk
KongBrain appears to be a real persistent-memory plugin, but it broadly stores and reuses conversation history and includes an unrelated agent handoff instruction, so it should be reviewed before installation.
Install only if you want a broad persistent memory layer for OpenClaw. Use a local, strongly protected SurrealDB instance, avoid secrets unless you can inspect and delete stored memories, be careful with external embedding providers, and verify or remove the unrelated .kongcode-handoff.json file before trusting the package.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal
const keyVal = process.env[keyName];
const keyVal = process.env[keyName];
authentication: { username: this.config.user, password: [REDACTED] }authentication: { username: this.config.user, password: [REDACTED] },