Back to plugin

Security audit

Zvec Memory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real long-term memory plugin; the main thing to understand is that it stores memory locally and may send memory text to the embedding or rerank services you configure.

Install this if you want OpenClaw to keep long-term memory using local Zvec storage. Be aware that memory content and workspace memory files may be embedded and searched, and if you configure cloud providers such as OpenAI or a Jina-compatible rerank endpoint, relevant text may be sent to those services. Review the embedding and rerank configuration carefully, especially any API keys or custom endpoints.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal, suspicious.install_untrusted_source

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/embeddings.js:82
Evidence
...([REDACTED] ? { apiKey: [REDACTED] } : {}),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:172
Evidence
apiKey: [REDACTED],

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:41
Evidence
"placeholder": "http://127.0.0.1:11434/v1",