Security audit
Smart Memory
Security checks across malware telemetry and agentic risk
Overview
The skill appears to implement a local memory manager consistent with its description; the only noteworthy risks are expected (optional Mem0 cloud syncing and automatic injection of recalled memories into the system prompt), but there are no incoherent or unexplained requirements.
This plugin appears to do what it claims. Before installing, consider: (1) Data locality — memories are stored under ~/.openclaw/smart-memory; review and audit that directory if you have sensitive content. (2) Mem0 cloud — only enable/use Mem0 if you trust the service; MEM0_API_KEY is required for cloud extraction and will send conversation content to Mem0. (3) Prompt injection — the plugin injects recalled memories into the system prompt by default; if you are concerned about sensitive data or undesired behavior, disable autoExtract/autoMaintain or turn off prompt injection in configuration. (4) Autonomy — the plugin registers tools the agent can call; combined with auto-injection this increases impact if the agent is misused. (5) Review plugin source (included) before installing and consider running in a restricted environment or with Mem0 disabled. If you want lower risk, install but set extractionProvider: "local" and autoExtract/autoMaintain to false and avoid setting MEM0_API_KEY.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
