AI Security Review
scanned 2h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. The OpenClaw memory plugin auto-loads a fixed JavaScript file from `~/github/news-knowledge-base` in a background startup task. That local code runs in the host process if vector search is configured and the file exists. No install-time mutation or package-contained payload was found.
Static reason
No blocking static signals were detected.
Trigger
OpenClaw plugin startup with embedding API configuration enabled.
Impact
A pre-existing writable file at the hard-coded external path can execute with the plugin host’s permissions.
Mechanism
Guarded dynamic import of an external local module.
Rationale
The package has no install hooks or concrete exfiltration/destructive chain, but its automatic import of executable code outside its own dependency graph is an unresolved host-extension risk. Warn rather than block.
Evidence
dist/index.jspackage.jsonopenclaw.plugin.jsondist/atomic-json.jsdist/voice-identify.jsdist/config.jsdist/recall.jsdist/logger.js
Network endpoints3
api.lkeap.cloud.tencent.com/plan/anthropicasr.tencentcloudapi.com127.0.0.1:8766
Decision evidence
public snapshotAI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `dist/index.js` dynamically imports `~/github/news-knowledge-base/dist/search/news_search.js` during plugin startup when vector search is configured.
- The imported local module is outside this package’s dependency graph and executes without an explicit user command once the guarded startup path runs.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
- No `child_process`, shell, `eval`, `Function`, VM, credential-file, or `.npmrc`/`.ssh` access was found in distributed JavaScript.
- `dist/index.js` confines memory, transcript, staging, and log persistence to configured workspace/state paths.
- Cloud requests in `dist/index.js`, `dist/recall.js`, and `dist/voice-identify.js` use configured memory/ASR APIs and supplied API keys; no separate covert endpoint was found.
- `openclaw.plugin.json` declares a memory plugin with tools and `onStartup` activation, matching the package’s stated functionality.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedist/index.jsView file
•Published source reference
Medium
Ai Review Evidence
`dist/index.js` dynamically imports `~/github/news-knowledge-base/dist/search/news_search.js` during plugin startup when vector search is configured.
dist/index.jsView on unpkgFindings
4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumSuspicious Dependency Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings