ClawHub

Evermemos Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate EverOS memory plugin, but it needs review because it automatically stores and logs chat content and persistently changes OpenClaw memory configuration.

Install only if you trust the configured EverOS backend and are comfortable with OpenClaw conversations being stored and potentially written to logs. Review ~/.openclaw/openclaw.json before and after install, keep the .bak backup, verify the backend URL, avoid sensitive conversations until logging and retention are understood, and prefer pinned or inspected setup commands for external installers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the agent to use shell commands, network access, and local configuration changes, yet it declares no permissions or capability boundaries. This creates a misleading trust model for users and hosts, because the skill can perform impactful actions such as installing packages, editing config files, and restarting services without an explicit permission declaration.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The installer changes global OpenClaw plugin slot assignments, including forcibly setting `contextEngine` to this plugin and setting the separate `memory` slot to `none`. This exceeds narrow installation of the EverOS plugin and can disable or replace other security-relevant or user-selected components, creating configuration integrity and availability risk through unexpected takeover of shared platform settings.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The search logic explicitly queries not only user-oriented memory types like episodic_memory and profile, but also agent_case and agent_skill, which broadens retrieval into operational or potentially sensitive agent knowledge domains. In a memory-installation skill framed around remembering user preferences, this scope expansion creates an over-collection risk and can expose unrelated skills/cases to the caller or downstream model without clear need or consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that the plugin automatically saves conversation content to a backend after each turn, but it does not prominently warn users that potentially sensitive chat data will be transmitted and persisted. In a memory plugin context, this is a real privacy/security concern because users may assume local-only behavior unless data collection and retention are made explicit.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The installer modifies OpenClaw configuration, changes plugin load settings, and disables the existing memory slot, but the README does not clearly caution that local system behavior will be altered. While this is expected for an installer, the lack of an explicit warning can cause unintentional configuration changes or service disruption, especially if another memory plugin is already in use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that the plugin automatically retrieves memories before each reply and automatically saves conversation content after each turn, but it does not clearly warn users that their chat content will be persistently stored and transmitted to a backend service. In a memory plugin, this omission is security-relevant because users may unknowingly expose sensitive personal or organizational data through normal conversation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installation instructions say the installer will modify OpenClaw configuration, set the context engine, and force `plugins.slots.memory = "none"`, but they do not clearly warn about the operational and security impact of disabling an existing memory plugin or mutating persistent configuration. This can surprise users, break expected protections or workflows, and make rollback harder if the plugin behaves unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises automatic recall and automatic saving of conversation content but does not provide a prominent privacy warning or consent step before enabling persistent storage. Because users are told memory is triggered by normal conversation, they may disclose sensitive data without realizing it will be retained across sessions and sent to a backend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill includes commands and jq patches that modify ~/.openclaw/openclaw.json, but there is no prominent upfront warning that a local configuration file will be changed. Silent configuration modification can break existing plugin setups, alter trust boundaries, or make rollback difficult if the user was not prepared for the change.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
This code sends search parameters to a remote /api/v1/memories/search endpoint and logs both the outbound query and returned data, but there is no visible disclosure, consent check, or minimization in this file. For a skill handling memory and preferences, silent transmission of search criteria and results increases privacy risk, especially if queries can include sensitive context or broad memory scopes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The saveMemories function transmits raw conversation content, user identifiers, group identifiers, roles, and timestamps to a remote memories endpoint, and also logs the full payload and response. Because the skill is specifically intended to remember user preferences in OpenClaw, this context makes the data highly likely to contain sensitive personal or behavioral information, so undisclosed exfiltration and verbose logging materially raise confidentiality and privacy risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The engine logs `cfg.userId` at startup and logs `sessionId`/`sessionKey` during lifecycle events, which exposes stable identifiers in application logs. If logs are centrally collected, shared with operators, or retained long-term, they can be used to correlate user activity across sessions and environments without user awareness.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
`afterTurn()` sends converted conversation messages to the EverOS backend via `saveMemories`, meaning user and assistant content is transmitted off-process for storage. In a memory plugin this behavior is functionally expected, but it still creates a real privacy/security risk because potentially sensitive chat data may be exfiltrated to an external service without evidence in this file of consent, minimization, or content filtering.

Ssd 2

Medium
Confidence
97% confidence
Finding
The context-boundary marker is intentionally constructed with zero-width characters between words, making it visually resemble a normal delimiter while defeating simple literal matching, auditing, and prompt-injection defenses that look for plain-text boundary strings. In a prompt-construction module, this is especially dangerous because hidden delimiters can be used to smuggle or separate trusted memory/tool context from user content in ways that downstream reviewers and security filters may not detect.

External Script Fetching

Low
Category
Supply Chain
Content
git clone https://github.com/EverMind-AI/EverMemOS.git
cd EverMemOS
docker compose up -d
curl -LsSf https://astral.sh/uv/install.sh | sh
uv sync
cp env.template .env
# edit .env
Confidence
98% confidence
Finding
curl -LsSf https://astral.sh/uv/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
git clone https://github.com/EverMind-AI/EverMemOS.git
cd EverMemOS
docker compose up -d
curl -LsSf https://astral.sh/uv/install.sh | sh
uv sync
cp env.template .env
# edit .env
Confidence
99% confidence
Finding
| sh

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal