Pluginv0.9.53

ClawScan security

MemClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 9:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: MemClaw appears to be a legitimate local-memory plugin and its requirements generally match its purpose, but the maintenance instructions attempt to change agent startup behaviour (AGENTS.md / 'ALWAYS execute at conversation start') and the package includes platform binaries/optionalDeps and an 'enhance agent' config that could allow automatic modification of agent guidance — this mismatch warrants caution.
Guidance: What to check before installing/activating MemClaw: 1) Review and back up AGENTS.md and openclaw.json before applying any changes. The maintenance docs ask you to edit AGENTS.md to force memory-loading at agent startup; only apply that after understanding the behavioral change. 2) Disable automatic 'enhanceClawAgent' behavior initially (set enhanceClawAgent=false) until you audit the plugin's code for any calls that programmatically change gateway/agent config (look in dist/plugin-impl.js for updateConfig/registerHook usage). 3) Inspect the optional native binary packages (@memclaw/bin-*) before install or test in an isolated environment. If possible, install in a sandbox or QA instance first. 4) Confirm where your LLM/embedding API keys will be stored (OpenClaw marks them sensitive) and ensure you’re comfortable granting them to a local plugin that will call your configured endpoints. Rotate keys after testing if needed. 5) Look through the compiled JS (dist/) for any network calls or hard-coded endpoints beyond the configured serviceUrl/LLM endpoints; verify that data transmission is constrained to local services and your configured LLM/embedding endpoints. 6) If you want minimal blast radius: keep autoStartServices=false and avoid running migration or the maintenance 'always run at startup' steps until you’ve reviewed the code and tested locally. If you want, I can (a) search the dist/plugin-impl.js and other compiled files for calls to updateConfig/registerHook, network endpoints, or child-process spawning, or (b) list specific lines that implement auto-update/auto-enhance behavior so you can inspect them.
Findings: [system-prompt-override] unexpected: The SKILL.md and maintenance docs instruct updating AGENTS.md and include 'ALWAYS execute at conversation start' style directives which look like system-prompt or agent-behavior overrides. That pattern is not necessary to provide a memory tool and is flagged as a prompt-injection style pattern.

Review Dimensions

Purpose & Capability: okThe name/description, openclaw.plugin.json, tools documented in SKILL.md, and included code all align with a memory/migration plugin: layered L0/L1/L2 retrieval, local storage, migration from native memory, local service (cortex-mem-service + Qdrant). No unrelated cloud provider credentials or unrelated binaries are requested in metadata.
Instruction Scope: concernThe maintenance SKILL.md instructs operators to update AGENTS.md to force memory-loading behavior (explicit 'ALWAYS execute at conversation start' sequence). It also recommends searching all memories by default (omit scope) and tells users not to skip steps. These are instructions that change agent/system-level behaviour (system prompt / agent startup), which is broader than mere memory access and could be used to alter agent policies or persist behavior across sessions.
Install Mechanism: noteRegistry entry lists no explicit install script but the package includes compiled JS (dist/) and optionalDependencies for platform binary packages (@memclaw/bin-...). Installing the plugin via the normal OpenClaw plugin mechanism (npm-style) will pull those optional binary packages. The binary packages are scoped under @memclaw (not arbitrary URLs), which is reasonable, but optional native binaries increase the attack surface and should be audited before installation.
Credentials: okNo environment variables are required by the skill metadata. The plugin config schema requests LLM and embedding API keys (marked sensitive) in openclaw.plugin.json, which is appropriate for local memory extraction/embedding tasks. The number and type of secrets requested (llmApiKey, embeddingApiKey) are proportional to the stated functionality.
Persistence & Privilege: concernThe plugin exposes an 'enhanceClawAgent' config (default true) and the maintenance docs explicitly instruct modifying AGENTS.md to change agent behavior at startup. While the skill itself is not marked always:true, these instructions — combined with plugin APIs that can update config — could lead to persistent changes to agent startup behavior or gateway configuration. This elevated persistence/privilege should be considered before enabling automatic features.