Openclaw Memory Stack
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate memory plugin, but it processes saved conversation text through unsafe local command/database code, so it deserves review before installation.
Install only if you trust the source and are comfortable with persistent shared memory. Keep cloud LLM keys unset for local-only use, avoid putting secrets into conversations, back up or inspect ~/.openclaw/memory, and consider waiting for fixes that parameterize SQLite calls and stop embedding memory text inside Python -c code.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted string saved in memory could break the Python code path or potentially execute Python code locally when deduplication or merging runs.
The function handles existing and new memory content, then embeds that content directly into a Python -c program as triple-quoted source text instead of passing it as data.
python3 -c "... existing_lines = set('''$existing'''.strip().split('\\n')) ... new_lines = '''$new'''.strip().split('\\n') ... result = '''$existing'''.strip() ..."Do not embed memory or conversation text into Python source. Pass data via stdin, files, argv, or JSON with strict escaping, and add tests for quotes, newlines, and Python delimiters before enabling automatic processing.
A crafted memory search query could corrupt the local facts database, cause unintended SQL execution, or make memory lookup unreliable.
The search query and limit are interpolated directly into a SQLite statement; the shown substitution is not safe parameter binding or reliable SQL escaping.
sqlite3 -json "$FACTS_DB" "SELECT ... WHERE facts_fts MATCH '${query//\'/\'}' ORDER BY timestamp DESC LIMIT $limit;"Use SQLite parameter binding or a small validated query builder, escape FTS queries correctly, reject multiple statements, and validate numeric fields such as limit.
Useful context may persist, but sensitive or poisoned information can also be remembered and reused later or by another agent.
The skill is explicitly designed to persist and reuse conversation context automatically and share it across agents.
"SEARCH PIPELINE (runs on every conversation turn)" ... "CAPTURE (runs after every conversation turn)" ... "CROSS-AGENT SHARING"
Review the stored memory location, avoid sharing secrets in conversations, configure project/user boundaries, and provide clear ways to inspect, delete, or disable shared memories.
If you configure a cloud LLM key, conversation excerpts may be sent to that provider and usage may be billed to your account.
The skill can use provider API credentials for optional cloud LLM fact extraction, which is purpose-aligned but sensitive.
OPENAI_API_KEY ... "Fallback API key for OpenAI (optional)" ... sentTo: "api.openai.com or user-configured llmEndpoint"
Leave cloud keys unset if you want local-only behavior; if you do use them, use a restricted key, monitor usage, and confirm the endpoint is the one you intend.
Upgrades can replace local plugin code, so compromise or misconfiguration of the release source would affect the installed memory provider.
The manual upgrade flow downloads a release tarball and runs the downloaded installer after checking a SHA-256 value fetched from the same release service.
DOWNLOAD_URL="$RELEASE_BASE_URL/download/latest" ... curl ... "$DOWNLOAD_URL" ... chmod +x "$EXTRACTED_DIR/install.sh" ... exec "$EXTRACTED_DIR/install.sh" --upgrade --from-self
Run upgrades only when you intend to, verify the release source, prefer signed releases or independently published checksums, and back up ~/.openclaw/memory before upgrading.