Scan Report
15 /100
memory-m3e
Semantic memory plugin using m3e-large embedding API + SQLite
A legitimate semantic memory plugin with documented external API calls and local SQLite storage. No malicious behavior detected.
Safe to install
The skill is safe to use. Consider pinning dependency versions more strictly to reduce supply chain risk.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Documentation mentions unimplemented features Doc Mismatch | README.md:19 |
| Low | Dependencies not strictly pinned Supply Chain | package.json:8 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | index.ts:47 - mkdirSync for dbPath directory |
| Network | READ | READ | ✓ Aligned | index.ts:27 - fetch to embedding API endpoint |
| Database | WRITE | WRITE | ✓ Aligned | index.ts:54 - SQLite via better-sqlite3 for memory storage |
2 findings
Medium External URL 外部 URL
http://your-embedding-server SKILL.md:27 Medium External URL 外部 URL
http://your-api-server:3000/v1 index.ts:23 File Tree
5 files · 12.1 KB · 458 lines TypeScript 1f · 249L
Markdown 2f · 173L
JSON 2f · 36L
├─
index.ts
TypeScript
├─
openclaw.plugin.json
JSON
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
better-sqlite3 | ^11.0.0 | npm | No | Version not strictly pinned |
@sinclair/typebox | ^0.34.48 | npm | No | Type validation library, no known vulnerabilities |
Security Positives
✓ No shell execution, subprocess, or command injection attempts
✓ No obfuscated code, base64 encoding, or anti-analysis techniques
✓ No credential harvesting or environment variable theft
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No C2 communication or data exfiltration
✓ API key usage is for legitimate external embedding service
✓ Database operations are local-only and scoped to plugin directory