Jasper Recall
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: jasper-recall Version: 0.4.0 The skill is classified as suspicious due to several risky capabilities, despite clear efforts towards security and transparency. The `autoRecall` feature in `extensions/openclaw-plugin/index.ts` injects content from the RAG database directly into the agent's prompt, which, while intended for helpful context, could facilitate prompt injection if the RAG database is compromised or contains adversarial content. Additionally, the `cli/server.js` exposes an HTTP API that executes local commands via `execSync` to query memory, presenting an increased attack surface, even with safe defaults (localhost, public-only) and explicit warnings about insecure configurations. The extensive use of `child_process.execSync` across various Node.js CLI scripts to run external Python and shell scripts, while necessary for functionality, inherently broadens the attack surface for potential command injection vulnerabilities, even if current sanitization appears adequate.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the recall server is running, a crafted request could run commands as the local user account.
The HTTP recall query is used to build a shell command passed to execSync. Escaping only quotes does not prevent shell substitutions such as $(), so a crafted query could execute local commands.
function executeRecall(query, options = {}) { ... const output = execSync(cmd, {Do not expose or rely on the server until this is fixed. Replace execSync shell strings with execFile/spawn argument arrays and validate query input.
Other local processes, containers, or websites visited in a browser could query the recall API while it is running; if private access is enabled, this could expose private memories.
The memory search server allows any browser origin and exposes a recall endpoint without an authentication mechanism in the handler.
res.setHeader('Access-Control-Allow-Origin', '*'); ... if (pathname === '/recall' || pathname === '/api/recall') {Keep the server disabled unless needed, bind only to localhost, restrict CORS, add an authentication token, and avoid enabling private queries on a network-accessible server.
Incorrect, sensitive, or poisoned memory entries may influence future agent responses or be surfaced in contexts where they were not intended.
The skill intentionally persists and automatically reuses indexed memory in future agent context.
When `autoRecall: true`, the plugin hooks into `before_agent_start` ... Injects results as `<relevant-memories>` context
Index only intended memory folders, review public/private tags, use publicOnly for sandboxed agents, and disable autoRecall if automatic context injection is not desired.
Future dependency versions could change behavior or introduce vulnerabilities when setup or repair commands install packages.
Setup installs unpinned Python packages from the package ecosystem, which is expected for this local RAG tool but still affects provenance and reproducibility.
run(`${pip} install --quiet chromadb sentence-transformers`);Prefer pinned dependency versions or a reviewed lockfile, and run setup only from a trusted package source.