Back to plugin

Security audit

Memory Engine

Security checks across malware telemetry and agentic risk

Overview

The memory features match the stated purpose, but the skill automatically records conversations, runs silent background memory jobs, and can use an OpenAI key, so it needs careful review before installation.

Install only if you intentionally want automatic long-term memory. Before enabling it, review setup.sh and the cron configuration, decide whether OpenAI embeddings are acceptable, remove or clarify the notify-bot job, and verify that you have ways to inspect, delete, export, and disable stored memories and background jobs.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
lib/embedding.js:29
Evidence
return process.env.OPENAI_API_KEY || null;