ClawHub

mem0 Local Memory

Security checks across malware telemetry and agentic risk

Overview

This looks like a disclosed local memory plugin, but it asks users to enable broad persistent cross-agent memory with limited containment guidance.

Install only if you intentionally want shared long-term memory across OpenClaw agents. Review MEMORY.md and TOOLS.md before importing, keep MEM0_URL on localhost unless you explicitly trust the remote server, use dedicated API keys, consider disabling autoCapture until tested, and make sure you know how to stop the service and delete stored memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tainted flow: 'MEM0_URL' from os.environ.get (line 17, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def add_memory(text: str, source_agent: str, source_file: str) -> bool:
    """Add a memory to mem0 with unified user_id and source metadata."""
    try:
        r = requests.post(
            f"{MEM0_URL}/api/memory/add",
            json={
                "text": text,
Confidence
90% confidence
Finding
r = requests.post( f"{MEM0_URL}/api/memory/add", json={ "text": text, "user_id": UNIFIED_USER_ID, "metadata": {

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill requires environment variables, local file access, network communication, and shell execution, but does not declare those capabilities explicitly. This creates a transparency and consent problem: users may approve a 'memory plugin' without realizing it reads workspace files, installs software, and transmits content to external APIs.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond a simple local-memory setup by importing MEMORY.md and TOOLS.md from multiple workspaces, centralizing data across agents, and forwarding text to services that depend on external APIs. In this context, the mismatch is dangerous because users may expect isolated local storage, while the skill enables cross-workspace aggregation and third-party exposure of potentially sensitive operational notes.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script intentionally collapses memories from multiple agent workspaces into a single shared user_id, removing logical separation between agents. This can cause cross-agent data leakage, prompt contamination, and unintended access to another agent's memory content across sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script uploads memory contents from local workspace files to the mem0 server without explicit user-facing notice about the privacy implications. Because these files can contain sensitive notes, operational details, or credentials, silent transmission increases the chance of unintentional disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script unifies multiple agents' memories under one shared user_id without a runtime warning that isolation is being lost. In this skill context, persistent semantic memory is central functionality, so removing separation materially increases the risk of cross-agent disclosure and incorrect recall of another workspace's data.

Session Persistence

Medium
Category
Rogue Agent
Content
```

```bash
sudo systemctl enable mem0 && sudo systemctl start mem0
```

**Verify:**
Confidence
91% confidence
Finding
systemctl enable

Session Persistence

Medium
Category
Rogue Agent
Content
**Option C — Linux systemd:**

Create `/etc/systemd/system/mem0.service`:
```ini
[Unit]
Description=mem0 local memory server
Confidence
89% confidence
Finding
Create `/etc/systemd/system/mem0.service`: ```ini [Unit] Description=mem0 local memory server After=network.target [Service] User=YOUR_USER WorkingDirectory=/path/to/openclaw-plugin-mem0-local/server

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# Copy and edit the template — replace $HOME, API keys, proxy settings
cp launchd/ai.openclaw.mem0.plist ~/Library/LaunchAgents/
# IMPORTANT: edit the plist to fill in your actual paths and API keys
nano ~/Library/LaunchAgents/ai.openclaw.mem0.plist
# Load the service
Confidence
86% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# Copy and edit the template — replace $HOME, API keys, proxy settings
cp launchd/ai.openclaw.mem0.plist ~/Library/LaunchAgents/
# IMPORTANT: edit the plist to fill in your actual paths and API keys
nano ~/Library/LaunchAgents/ai.openclaw.mem0.plist
# Load the service
launchctl load ~/Library/LaunchAgents/ai.openclaw.mem0.plist
Confidence
84% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# Copy and edit the template — replace $HOME, API keys, proxy settings
cp launchd/ai.openclaw.mem0.plist ~/Library/LaunchAgents/
# IMPORTANT: edit the plist to fill in your actual paths and API keys
nano ~/Library/LaunchAgents/ai.openclaw.mem0.plist
# Load the service
launchctl load ~/Library/LaunchAgents/ai.openclaw.mem0.plist
```
Confidence
87% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# IMPORTANT: edit the plist to fill in your actual paths and API keys
nano ~/Library/LaunchAgents/ai.openclaw.mem0.plist
# Load the service
launchctl load ~/Library/LaunchAgents/ai.openclaw.mem0.plist
```

**Option C — Linux systemd:**
Confidence
83% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
# IMPORTANT: edit the plist to fill in your actual paths and API keys
nano ~/Library/LaunchAgents/ai.openclaw.mem0.plist
# Load the service
launchctl load ~/Library/LaunchAgents/ai.openclaw.mem0.plist
```

**Option C — Linux systemd:**
Confidence
83% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal