Cortex Memory
Security checks across malware telemetry and agentic risk
Overview
Cortex Memory appears to be a coherent long-term memory plugin, but it persists conversation history and its CLI may print API-key-bearing configuration without redaction.
Install this only if you want OpenClaw to maintain cross-session memory. Use environment variables rather than literal API keys, do not share status/config output, review or disable automatic sync if you do not want old conversations imported, and configure only trusted embedding or LLM endpoints.
VirusTotal
No VirusTotal findings
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may proactively search memory before answering some questions and may treat memory-tool use as a normal part of its workflow.
The skill provides system-prompt-style instructions that direct when the agent must use memory tools. This is aligned with the memory purpose, but users should notice that it can shape agent behavior.
Agent 使用手册(系统提示词)... “Cortex Memory 记忆插件使用规则(核心规则,不允许删除)” ... “必须遵循以下规则” ... “先调用 `search_memory`,再回答”
Use these rules only if you want Cortex Memory to influence the agent’s workflow, and keep higher-priority privacy or task instructions explicit.
The skill can change the agent’s long-term memory store, including adding imported history or deleting specific memories.
The registered tools can write, sync, backfill, and delete persistent memory. The documentation includes an explicit confirmation rule for deletion, so this is purpose-aligned but still a meaningful capability.
`store_event` ... `sync_memory` ... `backfill_embeddings` ... `delete_memory` ... “仅在用户明确要求删除记忆,且已确认 `memory_id` 时,才调用 `delete_memory`”
Confirm high-impact memory operations, especially sync, backfill, conflict resolution, and deletion.
Users may need to provide API keys for external AI services, even though the registry metadata says no credential is required.
The documented configuration uses embedding and LLM provider API keys. This is expected for the stated embedding/LLM features, but the registry metadata does not declare credentials.
"embedding": { ... "apiKey": "${EMBEDDING_API_KEY}", "baseURL": "https://your-embedding-endpoint/v1" ... }, "llm": { ... "apiKey": "${LLM_API_KEY}"Prefer environment-variable references over literal keys in config files, and use least-privilege provider keys where possible.
A user running or sharing `cortex-memory status` output could accidentally reveal provider API keys if they are stored directly in the OpenClaw config.
The status command prints the entire plugin configuration. Because the documented config contains `apiKey` fields, real keys placed in the config could be exposed in terminal output or copied logs.
console.log('\nConfiguration:');
console.log(JSON.stringify(pluginConfig || { enabled: true }, null, 2));Redact secret-looking fields in status output, and avoid sharing command output or config files that may contain API keys.
Conversation history, preferences, project decisions, and derived rules may be recalled in future sessions.
The skill intentionally persists memory across sessions, imports historical sessions, and writes reusable rules. This is core to the purpose but means sensitive or incorrect memories can affect later tasks.
“跨会话中持续积累并稳定调用高价值记忆” ... “增量同步:按状态文件增量导入历史会话” ... “规则写入 `CORTEX_RULES.md` 供后续任务复用”
Review what is stored, honor “do not remember” requests, disable automatic sync if undesired, and use `delete_memory` or cleanup controls when needed.
Stored or synced memory text may be transmitted to the embedding provider configured by the user.
Memory text is sent to a configured embedding endpoint using a bearer API key. This is expected for embeddings, but it means memory content can leave the local environment.
const body = { input: args.text, model: args.model };
...
fetch(endpoint, { method: "POST", headers: { "content-type": "application/json", authorization: `Bearer ${args.apiKey}` }, body: JSON.stringify(body) })Only configure trusted embedding/LLM endpoints, understand their data-retention policy, and avoid storing secrets or highly sensitive data in long-term memory.