Back to plugin

Security audit

Hippodid Openclaw Plugin

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, instructions, and configuration are internally consistent with its stated purpose (cloud sync of MEMORY.md files), but it will transmit local memory files to a remote service so you should review and trust the HippoDid endpoint and API key handling before enabling.

This plugin is coherent with its stated goal, but it will read and upload your MEMORY.md and memory/*.md files to a HippoDid server using an apiKey you add to openclaw.json. Before installing: (1) Confirm you trust the HippoDid service (https://api.hippodid.com by default) and review the package source (dist/ and src/) if you need higher assurance. (2) Use a test character or non-sensitive memory initially to verify behavior. (3) Consider whether you want memory files to leave your machine — do not enable on sensitive workspaces unless you accept cloud sync. (4) If you need extra safety, host a private HippoDid-compatible endpoint (baseUrl override) or keep autoCapture/autoRecall disabled. Finally, note the SKILL.md auto-detects common workspace paths (including ~), so review and, if needed, explicitly configure additionalPaths to limit what is watched/uploaded.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.