Jasper Recall
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Jasper Recall is a coherent local memory tool, but its HTTP recall server builds shell commands from incoming queries and exposes unauthenticated CORS access.
Review carefully before installing. If you use it, avoid running `npx jasper-recall serve`, especially with `--host 0.0.0.0` or `RECALL_ALLOW_PRIVATE=true`, until the shell execution and authentication/CORS issues are fixed. Only index memory you intend agents to reuse, and check the OpenClaw plugin settings after setup.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the recall server is running, a crafted request could run commands as the local user account.
The HTTP recall query is used to build a shell command passed to execSync. Escaping only quotes does not prevent shell substitutions such as $(), so a crafted query could execute local commands.
function executeRecall(query, options = {}) { ... const output = execSync(cmd, {Do not expose or rely on the server until this is fixed. Replace execSync shell strings with execFile/spawn argument arrays and validate query input.
Other local processes, containers, or websites visited in a browser could query the recall API while it is running; if private access is enabled, this could expose private memories.
The memory search server allows any browser origin and exposes a recall endpoint without an authentication mechanism in the handler.
res.setHeader('Access-Control-Allow-Origin', '*'); ... if (pathname === '/recall' || pathname === '/api/recall') {Keep the server disabled unless needed, bind only to localhost, restrict CORS, add an authentication token, and avoid enabling private queries on a network-accessible server.
Incorrect, sensitive, or poisoned memory entries may influence future agent responses or be surfaced in contexts where they were not intended.
The skill intentionally persists and automatically reuses indexed memory in future agent context.
When `autoRecall: true`, the plugin hooks into `before_agent_start` ... Injects results as `<relevant-memories>` context
Index only intended memory folders, review public/private tags, use publicOnly for sandboxed agents, and disable autoRecall if automatic context injection is not desired.
Future dependency versions could change behavior or introduce vulnerabilities when setup or repair commands install packages.
Setup installs unpinned Python packages from the package ecosystem, which is expected for this local RAG tool but still affects provenance and reproducibility.
run(`${pip} install --quiet chromadb sentence-transformers`);Prefer pinned dependency versions or a reviewed lockfile, and run setup only from a trusted package source.