File appears to expose a hardcoded API secret or token.
- Code
- suspicious.exposed_secret_literal
- Location
- dist/embeddings.js:82
- Evidence
...([REDACTED] ? { apiKey: [REDACTED] } : {}),
Security audit
Security checks across malware telemetry and agentic risk
This appears to be a real long-term memory plugin; the main thing to understand is that it stores memory locally and may send memory text to the embedding or rerank services you configure.
Install this if you want OpenClaw to keep long-term memory using local Zvec storage. Be aware that memory content and workspace memory files may be embedded and searched, and if you configure cloud providers such as OpenAI or a Jina-compatible rerank endpoint, relevant text may be sent to those services. Review the embedding and rerank configuration carefully, especially any API keys or custom endpoints.
VirusTotal engine telemetry is currently stale for this artifact.
Detected: suspicious.exposed_secret_literal, suspicious.install_untrusted_source
...([REDACTED] ? { apiKey: [REDACTED] } : {}),apiKey: [REDACTED],
"placeholder": "http://127.0.0.1:11434/v1",