registry  /  openclaw-hybrid-memory  /  2026.7.54

openclaw-hybrid-memory@2026.7.54

⚠ Under review

Give your OpenClaw agent lasting memory: structured facts, semantic search, auto-capture & recall, decay, optional credential vault. Part of Hybrid Memory v3.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 23 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNativeBindingsNetworkShell
Supply chain
HighEntropyStringsProtestwareUrlStrings
Manifest
NoLicense
scanned 1,487 file(s), 13.8 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.example.com, api.github.com, api.minimax.chat, api.minimax.io, api.openai.com, cdn.jsdelivr.net, d3js.org, generativelanguage.googleapis.com, github.com, huggingface.co, nibe.local, ollama.ai, openrouter.ai, platform.openai.com, registry.npmjs.org, rnd-api-gateway.azure-api.net, wttr.in, www.npmjs.com

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-rebuild.cjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
dist/services/skill-validator.d.tsView file
12patternName = private_key_rsa severity = critical line = 12 matchedText = * Matche...---,
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/services/skill-validator.d.tsView on unpkg · L12
12patternName = private_key_rsa severity = critical line = 12 matchedText = * Matche...---,
Critical
Secret Pattern

RSA private key in dist/services/skill-validator.d.ts

dist/services/skill-validator.d.tsView on unpkg · L12
benchmark/offline-qa/analyze-quality.tsView file
3*/ L4: import { spawnSync } from "node:child_process"; L5: import { existsSync, readFileSync, readdirSync } from "node:fs";
High
Child Process

Package source references child process execution.

benchmark/offline-qa/analyze-quality.tsView on unpkg · L3
dist/services/skill-validator.jsView file
29patternName = private_key_rsa severity = critical line = 29 matchedText = * Matche...---,
Critical
Secret Pattern

RSA private key in dist/services/skill-validator.js

dist/services/skill-validator.jsView on unpkg · L29
120pattern: /* @__PURE__ */ new RegExp("\\beval\\s*[\\(\\$'\"`]", "i"), L121: description: "eval() or eval$(...) in code block — arbitrary code execution" L122: },
Low
Eval

Package source references a known benign dynamic code generation pattern.

dist/services/skill-validator.jsView on unpkg · L120
dist/routes/dashboard/collectors.jsView file
29const execFile = promisify(execFile$1); L30: const require = createRequire(import.meta.url); L31: const VERIFIED_FACT_SET_TTL_MS = 5e3;
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/routes/dashboard/collectors.jsView on unpkg · L29
dist/backends/facts-db/procedures/internal.jsView file
30try { L31: const parsed = JSON.parse(recipeJson); L32: if (!Array.isArray(parsed) || parsed.length === 0) return false;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/backends/facts-db/procedures/internal.jsView on unpkg · L30
dist/cli/commands/manage/register-procedure-lifecycle.jsView file
10import { mkdirSync, unlinkSync, writeFileSync } from "node:fs"; L11: import { execSync } from "node:child_process"; L12: //#region cli/commands/manage/register-procedure-lifecycle.ts ... L16: */ L17: /** Quote a path for use in a crontab line so spaces/special chars do not break the shell. */ L18: function shellQuotePathForCron(path) { ... L73: console.error("error: --limit must be a positive integer"); L74: process.exitCode = 1; L75: return; ... L141: if (raw) try { L142: const parsed = JSON.parse(raw); L143: if (!Array.isArray(parsed)) throw new Error("expected a JSON array");
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/cli/commands/manage/register-procedure-lifecycle.jsView on unpkg · L10
cli/plugin-commands.tsView file
77await new Promise<void>((resolve, reject) => { L78: const child = spawn("npm", ["install", source, "--prefix", pluginsDir], { stdio: "inherit" }); L79: child.on("error", reject); ... L81: if (code === 0) resolve(); L82: else reject(new Error(`npm install exited with code ${code ?? "unknown"}`)); L83: });
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

cli/plugin-commands.tsView on unpkg · L77
benchmark/offline-qa/clone-sandbox.shView file
path = benchmark/offline-qa/clone-sandbox.sh kind = build_helper sizeBytes = 1567 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

benchmark/offline-qa/clone-sandbox.shView on unpkg
dist/cli/install/upgrade-config-preflight.jsView file
matchType = previous_version_dangerous_delta matchedPackage = openclaw-hybrid-memory@2026.7.32 matchedIdentity = npm:b3BlbmNsYXctaHlicmlkLW1lbW9yeQ:2026.7.32 similarity = 0.958 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/install/upgrade-config-preflight.jsView on unpkg
services/skill-validator.tsView file
70patternName = private_key_rsa severity = critical line = 70 matchedText = * Matche...---,
Critical
Secret Pattern

RSA private key in services/skill-validator.ts

services/skill-validator.tsView on unpkg · L70

Findings

5 Critical4 High7 Medium7 Low
CriticalCritical Secretdist/services/skill-validator.d.ts
CriticalPrevious Version Dangerous Deltadist/cli/install/upgrade-config-preflight.js
CriticalSecret Patterndist/services/skill-validator.d.ts
CriticalSecret Patterndist/services/skill-validator.js
CriticalSecret Patternservices/skill-validator.ts
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbenchmark/offline-qa/analyze-quality.ts
HighShell
HighRuntime Package Installcli/plugin-commands.ts
MediumDynamic Requiredist/routes/dashboard/collectors.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/cli/commands/manage/register-procedure-lifecycle.js
MediumProtestware
MediumShips Build Helperbenchmark/offline-qa/clone-sandbox.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvaldist/services/skill-validator.js
LowWeak Cryptodist/backends/facts-db/procedures/internal.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License