Memory Pro System

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a real memory plugin, but it auto-runs an external Python memory server, uses persistent prompt injection, and handles credentials in ways that need review before installation.

Install only if you are comfortable running and auditing the separate Python memory server. Before enabling it, pin the repository version, inspect the server code and dependencies, use scoped LLM credentials, consider disabling autoStart and contextInjection, and verify how memories, generated skills, scheduled jobs, and any webhook/tool-call bindings are controlled.

Static analysis

Dangerous exec

Critical

Finding: Shell command execution detected (child_process).
Content: serverProcess = spawn(

Env credential access

Critical

Finding: Environment variable access combined with network send.
Content: env: { ...process.env, PYTHONUNBUFFERED: "1" },

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI05: Unexpected Code Execution

High

What this means

Installing and enabling the plugin can cause Python code from the memory workspace to run in the background with the user's environment.

Why it was flagged

The plugin launches a Python script from the configured or auto-detected workspace as a background server. That is central to the plugin, but it gives the plugin code-execution authority outside the reviewed TypeScript package.

Skill content

serverProcess = spawn(cfg.pythonPath, [serverScript, "--port", String(cfg.memoryServerPort)], { cwd: ws, ... env: { ...process.env, PYTHONUNBUFFERED: "1" } })

Recommendation

Inspect and pin the Python workspace before enabling auto-start; consider setting autoStart to false until the server code and dependencies are reviewed.

ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

The runtime behavior depends on external Python code and dependencies that may differ from the reviewed plugin package.

Why it was flagged

Setup pulls a separate Git repository and installs it in editable mode without a pinned commit or lockfile shown in the artifacts; that workspace supplies the server code the plugin starts.

Skill content

git clone https://github.com/FluffyAIcode/openclaw-memory-pro-system.git memory-pro ... pip install -e .

Recommendation

Use a pinned release or commit, review the Python project and dependency lockfiles, and avoid editable installs for production use.

ASI06: Memory and Context Poisoning

High

What this means

Incorrect, malicious, or stale memories could be reused as context and steer future agent behavior without the user noticing each time.

Why it was flagged

Persistent recalled memory is automatically inserted into future prompts by default, so stored content can influence later agent reasoning and tool choices.

Skill content

"contextInjection": { "type": "boolean", "default": true, "description": "Inject recalled memory into agent prompts via before_prompt_build hook." }

Recommendation

Disable contextInjection by default or require review of injected memory; provide clear controls for deleting, auditing, and scoping stored memories.

ASI02: Tool Misuse and Exploitation

Medium

What this means

Auto-generated or stored skills could expand from memory recall into actions if enabled without review.

Why it was flagged

The skill advertises generated or registered executable bindings involving prompts, tool calls, and webhooks, but the provided artifacts do not describe approval gates, sandboxing, or limits for those actions.

Skill content

Skill Registry | Versioned skills with utility tracking, feedback loop, executable action bindings (prompt_template / tool_call / webhook).

Recommendation

Require explicit user approval before activating executable skills, tool-call bindings, or webhooks, and document exactly which actions can run.

ASI03: Identity and Privilege Abuse

Medium

What this means

Provider API keys or auth profiles may be available to the memory server and used for LLM-powered recall, collision, or distillation features.

Why it was flagged

The plugin expects to use LLM provider credentials and local OpenClaw auth profiles, but the registry metadata lists no primary credential or required environment variables.

Skill content

The system auto-detects API keys in this order: 1. OPENROUTER_API_KEY env var 2. OpenClaw auth-profiles.json (openrouter:default) 3. XAI_API_KEY env var 4. OpenClaw auth-profiles.json (xai:default)

Recommendation

Use narrowly scoped API keys, separate auth profiles for this plugin, and confirm what data is sent to external LLM providers.

ASI10: Rogue Agents

Medium

What this means

The plugin may continue processing, distilling, and generating memory-derived outputs while the server is running.

Why it was flagged

The system performs ongoing autonomous memory-processing tasks in the background, beyond one-off user-invoked commands.

Skill content

The memory server includes a built-in scheduler for: Daily briefing generation; Periodic collision rounds; Dormancy checks; Digest distillation. These run automatically when the server is running.

Recommendation

Make scheduled jobs opt-in, document how to stop them, and provide clear controls for what data they can process or send.