registry  /  @scotthuang/engram  /  0.13.0

@scotthuang/engram@0.13.0

分层语义记忆系统 - OpenClaw Plugin

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The OpenClaw memory plugin auto-loads a fixed JavaScript file from `~/github/news-knowledge-base` in a background startup task. That local code runs in the host process if vector search is configured and the file exists. No install-time mutation or package-contained payload was found.

Static reason
No blocking static signals were detected.
Trigger
OpenClaw plugin startup with embedding API configuration enabled.
Impact
A pre-existing writable file at the hard-coded external path can execute with the plugin host’s permissions.
Mechanism
Guarded dynamic import of an external local module.
Rationale
The package has no install hooks or concrete exfiltration/destructive chain, but its automatic import of executable code outside its own dependency graph is an unresolved host-extension risk. Warn rather than block.
Evidence
dist/index.jspackage.jsonopenclaw.plugin.jsondist/atomic-json.jsdist/voice-identify.jsdist/config.jsdist/recall.jsdist/logger.js
Network endpoints3
api.lkeap.cloud.tencent.com/plan/anthropicasr.tencentcloudapi.com127.0.0.1:8766

Decision evidence

public snapshot
AI called this Suspicious at 89.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/index.js` dynamically imports `~/github/news-knowledge-base/dist/search/news_search.js` during plugin startup when vector search is configured.
  • The imported local module is outside this package’s dependency graph and executes without an explicit user command once the guarded startup path runs.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • No `child_process`, shell, `eval`, `Function`, VM, credential-file, or `.npmrc`/`.ssh` access was found in distributed JavaScript.
  • `dist/index.js` confines memory, transcript, staging, and log persistence to configured workspace/state paths.
  • Cloud requests in `dist/index.js`, `dist/recall.js`, and `dist/voice-identify.js` use configured memory/ASR APIs and supplied API keys; no separate covert endpoint was found.
  • `openclaw.plugin.json` declares a memory plugin with tools and `onStartup` activation, matching the package’s stated functionality.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 26 file(s), 631 KB of source, external domains: 127.0.0.1, api.lkeap.cloud.tencent.com, asr.tencentcloudapi.com, dashscope.aliyuncs.com, yeybm.gzyxedu.net

Source & flagged code

1 flagged · loading source
dist/index.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/index.js` dynamically imports `~/github/news-knowledge-base/dist/search/news_search.js` during plugin startup when vector search is configured.

dist/index.jsView on unpkg

Findings

4 Medium4 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/index.js
MediumSuspicious Dependency Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings