Jasper Recall

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Jasper Recall has a coherent local-memory purpose, but its HTTP recall server builds a shell command from the request query, which could let a reachable caller run commands on the user's machine.

Review before installing. The memory features are largely disclosed and purpose-aligned, but avoid starting the HTTP server, binding it to 0.0.0.0, or enabling private server queries until the shell-execution issue is fixed. If you run setup, treat it like trusted local code and carefully curate what memory files are indexed or shared.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).

Destructive delete command

Warn

Finding: Documentation contains a destructive delete command without an explicit confirmation gate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI05: Unexpected Code Execution

High

What this means

If the recall server is reachable, especially when bound to 0.0.0.0, a local, container, browser-driven, or remote caller could potentially run commands as the user running Jasper Recall.

Why it was flagged

The server accepts an HTTP query, interpolates it into a shell command string, and runs it with execSync. Escaping only quotes is not sufficient for shell safety because constructs such as command substitution can still be interpreted by the shell.

Skill content

function executeRecall(query, options = {}) { ... let cmd = `${RECALL_SCRIPT} ... ${query.replace(...)} ...`; ... const output = execSync(cmd, {

Recommendation

Do not expose the recall server until this is fixed. Replace execSync command strings with execFile/spawn using an argv array, validate inputs, keep the server on localhost, and avoid RECALL_ALLOW_PRIVATE or external binding unless absolutely necessary.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Running setup trusts the published package and its Python dependencies with local user-level code execution.

Why it was flagged

Setup installs unpinned Python dependencies and writes executable helper scripts into the user's home directory. This is expected for a local RAG tool, but it expands trust to npm/PyPI package provenance.

Skill content

run(`${pip} install --quiet chromadb sentence-transformers`); ... fs.writeFileSync(destPath, content); fs.chmodSync(destPath, 0o755);

Recommendation

Install only from a trusted source, prefer pinned/audited dependency versions, and run setup in a non-sensitive profile or container if you have doubts about provenance.

ASI06: Memory and Context Poisoning

Medium

What this means

Old notes, session digests, or shared memories may influence future agent behavior without being re-approved each time.

Why it was flagged

The skill can automatically retrieve persistent memories and insert them into future agent context before processing messages. This is central to the skill, but stored or shared memory can become stale, overly trusted, private, or poisoned.

Skill content

autoRecall: true ... the plugin hooks into before_agent_start ... Injects results as <relevant-memories> context

Recommendation

Keep memory paths narrow, review what is indexed, use publicOnly for sandboxed agents, disable autoRecall if you want manual control, and treat retrieved memories as untrusted context rather than instructions.