Back to plugin

Security audit

MCP Memory Service

Security checks across malware telemetry and agentic risk

Overview

This memory plugin is purpose-aligned but needs Review because it enables broad automatic capture and reinjection of tool outputs by default, and the packaged runtime does not match the thin-client behavior described in the docs.

Install only if you intentionally want persistent agent memory. Before enabling it, set narrow capture rules, consider disabling autoCapture and autoRecall by default, avoid using it around secrets or private command output, and verify which packaged code actually runs because the docs/source describe HTTP storage while the distributed dist code appears to use local SQLite and embeddings.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.install_untrusted_source

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:14
Evidence
"serviceUrl": { "type": "string", "default": "http://127.0.0.1:3202/mcp" },