Chromadb Plugin
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The plugin mostly matches its ChromaDB memory-store purpose, but it overstates privacy/offline guarantees while also supporting remote ChromaDB/API-key operation.
Install only if you want ChromaDB-backed OpenClaw memory. Treat the 'zero data leakage' claim as valid only for local-only configuration; if you set a host/API key, your memory data may go to that ChromaDB service. Review the installer, consider pinning dependencies, and back up existing LanceDB data before migration.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may store or migrate private memory data believing the plugin has no leakage risk, even though remote ChromaDB configuration can send data to a service they must trust.
This absolute privacy claim is materially overstated because other artifacts show optional remote ChromaDB host/API-key support. Users could underestimate privacy impact if they configure cloud mode.
🔒 Full offline operation, no paid API required, zero data leakage risk
Clarify that the no-leakage claim applies only to local mode, disclose remote/cloud behavior prominently, and avoid absolute 'zero risk' privacy language.
If cloud mode is configured, memory operations may rely on a remote account or service credential.
The plugin can use an API key to access a remote ChromaDB service. This is expected for cloud ChromaDB use, but it is sensitive delegated access.
self.client = chromadb.HttpClient(
host=host,
port=port,
headers={"Authorization": f"Bearer {api_key}"} if api_key else None
)Use a trusted ChromaDB endpoint, keep API keys out of committed config files, and prefer scoped/rotatable credentials.
Documents added to memory may remain available across future sessions and influence later retrieval results.
The plugin creates a persistent local vector-memory collection. Persistent memory is central to the stated purpose, but it can retain private or untrusted content for future retrieval.
self.client = chromadb.PersistentClient(path=path) ... name="openclaw_memory"
Choose the storage path intentionally, avoid ingesting secrets unnecessarily, and provide users with clear backup, deletion, and retention practices.
Different dependency versions or compromised package sources could affect the installed plugin environment.
The installer fetches unpinned Python packages and copies extension files into OpenClaw's extension directory. This is normal for an integration plugin but depends on package provenance and current package versions.
pip3 install chromadb sentence-transformers pyyaml ... cp chromadb_plugin.py ~/.openclaw/extensions/chromadb/
Run installation in a controlled environment, pin or verify dependency versions where possible, and review installer actions before execution.