Recall Local
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: recall-local Version: 1.0.0 The skill implements a persistent background service via a macOS LaunchAgent to index and search agent memory files (~/clawd/memory/). While the documentation in SKILL.md claims 'nothing leaves your machine,' the Node.js server (scripts/server.js) binds to 0.0.0.0, exposing the agent's full history, logs, and decisions to the entire local network without any authentication. This creates a significant data exposure risk, as anyone on the same network can query the unauthenticated /search endpoint to retrieve sensitive information.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the port on the local network may be able to search and read parts of the agent's memory archive, including local path information.
Search responses include memory text and full local file paths, and the HTTP server listens on all network interfaces. The shown request handler has no authentication or access-control check.
chunks.push({ text: part, source: path.basename(source || filePath), file: filePath }); ... res.end(JSON.stringify({ results, total: memories.length })); ... server.listen(PORT, '0.0.0.0'Bind to 127.0.0.1 by default, add authentication or a local-only access token, make LAN sharing opt-in, and avoid returning full file paths in API responses.
Users may underestimate who or what can access the memory search results once the server is running.
The privacy wording suggests machine-local use, while the same document advertises access from other devices on the local network.
No external services, no API keys, nothing leaves your machine. ... Works on mobile too if on same local network.
Clarify the LAN exposure plainly, remove or qualify the 'nothing leaves your machine' claim, and document firewall/authentication requirements.
The memory server may stay reachable across logins, increasing the window of exposure if the user forgets it is running.
The setup creates a login-starting service that is kept alive, so the memory API can continue operating after the immediate search task.
<key>RunAtLoad</key><true/> ... <key>KeepAlive</key><true/> ... launchctl load ~/Library/LaunchAgents/ai.wren.recall-local.plist
Make persistent startup an explicit opt-in, provide stop/unload/uninstall instructions, and default to a localhost-only non-persistent mode.
Searches can surface private history or old instructions into the agent's current context.
The skill intentionally retrieves broad persistent agent memory for reuse. That is purpose-aligned, but the memory may contain sensitive, stale, or untrusted content.
Indexes your entire `~/clawd/memory/` archive ... Use when you need to find something from past sessions ... anything in the agent's history.
Keep secrets out of the memory folder, prune sensitive entries, and treat retrieved memory as reference material rather than authoritative instructions.