KongBrain
Security checks across malware telemetry and agentic risk
Overview
KongBrain appears to be a real persistent-memory plugin, but it broadly stores and reuses conversation history and includes an unrelated agent handoff instruction, so it should be reviewed before installation.
Install only if you want a broad persistent memory layer for OpenClaw. Use a local, strongly protected SurrealDB instance, avoid secrets unless you can inspect and delete stored memories, be careful with external embedding providers, and verify or remove the unrelated .kongcode-handoff.json file before trusting the package.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive conversation details, tool outputs, preferences, corrections, and learned procedures may persist and influence future agent behavior.
The skill automatically persists conversation-derived memories and reuses them in future context, but the visible instructions do not clearly bound retention, deletion, exclusions, or trust handling for poisoned or sensitive memories.
records conversations and extracts knowledge automatically ... Tiered memory - core memories always loaded, session memories pinned, rest searched on demand
Use only with a trusted local database, avoid entering secrets unless you have a deletion/retention plan, and look for clear controls to inspect, edit, and purge stored memories.
If an agent or context system ingests this file as instructions, it could redirect work toward unrelated MCP queue processing.
This packaged file contains direct agent instructions unrelated to KongBrain's memory-engine purpose, including tool calls and output suppression. There is no evidence it is automatically executed, but it is purpose-mismatched prompt material.
"Drain the KongCode pending_work queue. Loop: call mcp__plugin_kongcode_kongcode__fetch_pending_work ... auto-drain, not user-facing — produce no narration"
The publisher should remove runtime handoff artifacts from the package; users should verify that installed package files are not being loaded as instructions.
Misconfigured credentials or an untrusted embedding endpoint could expose memory contents or allow unwanted access to the memory database.
The plugin needs database credentials and may use an OpenAI-compatible API key for embeddings; this is expected for the stated integration, but users should understand which accounts and endpoints they are authorizing.
env: SURREAL_URL, SURREAL_USER, SURREAL_PASS ... optionalEnv: ... OPENAI_BASE_URL ... OPENAI_API_KEY
Bind SurrealDB to localhost when possible, use strong unique credentials, and only set OPENAI_BASE_URL/API keys for providers you trust with embedded text.
First startup depends on a remote model artifact; availability or provenance issues could affect the plugin.
The first-run model download is disclosed and purpose-aligned, but it is still a remote supply-chain dependency that users should verify.
The BGE-M3 embedding model (~420MB) downloads automatically on first startup from Hugging Face
Install from a trusted source, pin or prefetch the model where possible, and review the configured model path for production use.
Conversation-derived data may be processed asynchronously and after restarts as part of memory maintenance.
The background worker is disclosed and central to the memory engine, but it means the plugin continues processing conversation data outside the immediate user turn.
Memory extraction runs in the background via a daemon worker thread
Run it only in environments where background memory processing is acceptable, and confirm how to stop the daemon and purge generated state.