vector-memory
PassAudited by VirusTotal on May 12, 2026.
Overview
Package: vector-memory (mcp) Version: 2.1.1 Description: Smart memory search with automatic vector fallback. Uses semantic embeddings when available, falls back to built-in search otherwise. Zero configuration - works immediately after install. The package provides a local vector-based memory search system for the OpenClaw agent framework. It utilizes the Transformers.js library to generate embeddings locally using the all-MiniLM-L6-v2 model, enabling semantic search capabilities without external API calls. The codebase includes a smart wrapper (smart_memory.js) that automatically switches between neural vector search and a keyword-based fallback search depending on the availability of the index. It manages memory files within a specific workspace directory, implements semantic chunking, and provides a CLI for indexing and searching. No malicious behavior, unauthorized data exfiltration, or suspicious network activity was detected; the installation script and file operations are consistent with the stated purpose of an agent skill extension.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted memory search query could cause commands to run in the OpenClaw workspace.
execSync runs through a shell, and query is user/tool input. JSON.stringify does not prevent shell expansion such as command substitution inside double quotes.
execSync(`node vector-memory/vector_memory_local.js --search ${JSON.stringify(query)} --max-results ${maxResults}`Replace execSync shell strings with execFile/spawn using an argument array, strictly validate max_results, and avoid shell interpolation for user-controlled values.
Prompted or malicious search text could misuse the memory_search tool as a command execution path.
The tool manifest places a user-controlled query directly into a command string. If executed by a shell or combined with the internal execSync wrapper, shell metacharacters can be misused.
"command": "node {{workspace}}/vector-memory/smart_memory.js --search \"{{query}}\" --max-results {{max_results|5}}"Use safe structured argument passing in the skill manifest, enforce escaping at the runner boundary, and validate all tool arguments before execution.
A crafted file path using traversal such as ../ could read files outside the intended memory area, potentially exposing local secrets or configuration.
memory_get accepts filePath from the tool call and reads the joined path without resolving and checking that it remains under MEMORY.md or the memory directory.
const fullPath = path.join(WORKSPACE, filePath); ... fs.readFileSync(fullPath, 'utf-8');
Resolve paths canonically, reject absolute paths and '..', restrict reads to approved memory files/directories, and consider line-range limits.
Your memory notes may be duplicated into vectors_local.json and reused in later searches, so anyone with workspace access could read indexed content.
The vector index stores the full content of memory chunks along with embeddings in a persistent local JSON database.
db.chunks.push({ path: relativePath, ... content: chunk.content, embedding: embedding, hash: fileHash })Only sync intended memory files, protect the workspace, and delete or regenerate the vector database when removing sensitive memory.
Following the optional GitHub install path could run remote code or install changing dependencies if the source is not verified.
The optional installer pattern runs a remote shell script from a placeholder GitHub source and later performs npm install; this is user-directed but has weak provenance and pinning.
curl -sL https://raw.githubusercontent.com/YOUR_USERNAME/vector-memory-openclaw/main/install.sh | bash
Prefer the reviewed registry artifact, publish a real verified repository, pin dependencies with a lockfile, and avoid curl|bash installation guidance.
Using the sample password in a shared deployment or placing real API keys in docs or shell history could weaken account and database security.
The optional pgvector guide includes a fixed example database password and an API key placeholder. It is documentation, not active code, but users may copy it.
export PG_PASSWORD=openclaw_memory_2025 export OPENAI_API_KEY=sk-...
Use unique generated secrets, keep real API keys out of committed files, and rotate any credential accidentally copied from examples.