critical
suspicious.dangerous_exec
- Location
- bin/install.js:217
- Finding
- Shell command execution detected (child_process).
Evermemos Openclaw Plugin
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Private conversation content can become long-term memory and be reused in later sessions; the artifacts do not show per-turn approval, exclusions, deletion, or retention controls.
Why it was flagged
In `afterTurn()`, new non-tool user/assistant messages are converted and saved to the configured EverOS backend after each turn.
Skill content
const converted = newMessages ... .map(convertMessage) ...; await saveMemories(cfg, { userId: cfg.userId, groupId: cfg.groupId, messages: converted, ... }, log);Recommendation
Use only with a trusted backend, document retention/deletion behavior, and add user controls to exclude sensitive turns or disable automatic saves.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
If stored memory is stale, incorrect, or prompt-injected, it may steer the agent across future tasks with high priority.
Why it was flagged
Retrieved backend memory is inserted as a system-role message ahead of the conversation.
Skill content
const memoryMessage = { role: "system", content: `[Relevant Memory]\n${context}`, _memory: true };Recommendation
Treat recalled memories as untrusted quoted data, sanitize instruction-like content, and consider injecting memory at a lower priority with clear boundaries.
ConcernHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Sensitive chat content and recalled memories may appear in OpenClaw logs or terminal output beyond the EverOS memory store itself.
Why it was flagged
The API client logs full memory write payloads and memory search responses.
Skill content
log.info(`${TAG} POST /api/v1/memories`, JSON.stringify(payload)); ... log.info(`${TAG} GET response ${label}`, JSON.stringify(r));Recommendation
Redact message content from normal logs, make verbose logging opt-in, and warn users where logs are stored.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running the installer can interrupt or reload OpenClaw so the new context engine takes effect.
Why it was flagged
The installer contains a fixed shell command to restart the OpenClaw gateway.
Skill content
exec("openclaw gateway restart", (err) => {Recommendation
Only run the installer when ready to restart OpenClaw, and review the command before approving setup.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
The installed code may depend on the current remote package/script contents at install time.
Why it was flagged
The documented setup uses an unpinned npm package invocation and a remote shell installer for backend tooling.
Skill content
npx --yes --package @evermind-ai/openclaw-plugin everos-install ... curl -LsSf https://astral.sh/uv/install.sh | sh
Recommendation
Prefer pinned versions, verify package provenance, and inspect remote installer scripts before running them.
NoteHigh Confidence
ASI08: Cascading FailuresWhat this means
Existing memory behavior may change across future OpenClaw sessions after installation.
Why it was flagged
The installer persistently changes OpenClaw plugin slots and disables the existing memory slot to avoid conflicts.
Skill content
config.plugins.slots.contextEngine = PLUGIN_ID; ... config.plugins.slots.memory = "none";
Recommendation
Review the generated `~/.openclaw/openclaw.json` and keep the `.bak` backup so previous memory settings can be restored.
Findings (2)
critical
suspicious.env_credential_access
- Location
- bin/install.js:17
- Finding
- Environment variable access combined with network send.