扫描报告
15 /100
memory-m3e
Semantic memory plugin using m3e-large embedding API + SQLite
A legitimate semantic memory plugin with documented external API calls and local SQLite storage. No malicious behavior detected.
可以安装
The skill is safe to use. Consider pinning dependency versions more strictly to reduce supply chain risk.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Documentation mentions unimplemented features 文档欺骗 | README.md:19 |
| 低危 | Dependencies not strictly pinned 供应链 | package.json:8 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | index.ts:47 - mkdirSync for dbPath directory |
| 网络访问 | READ | READ | ✓ 一致 | index.ts:27 - fetch to embedding API endpoint |
| 数据库 | WRITE | WRITE | ✓ 一致 | index.ts:54 - SQLite via better-sqlite3 for memory storage |
2 项发现
中危 外部 URL 外部 URL
http://your-embedding-server SKILL.md:27 中危 外部 URL 外部 URL
http://your-api-server:3000/v1 index.ts:23 目录结构
5 文件 · 12.1 KB · 458 行 TypeScript 1f · 249L
Markdown 2f · 173L
JSON 2f · 36L
├─
index.ts
TypeScript
├─
openclaw.plugin.json
JSON
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
better-sqlite3 | ^11.0.0 | npm | 否 | Version not strictly pinned |
@sinclair/typebox | ^0.34.48 | npm | 否 | Type validation library, no known vulnerabilities |
安全亮点
✓ No shell execution, subprocess, or command injection attempts
✓ No obfuscated code, base64 encoding, or anti-analysis techniques
✓ No credential harvesting or environment variable theft
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)
✓ No C2 communication or data exfiltration
✓ API key usage is for legitimate external embedding service
✓ Database operations are local-only and scoped to plugin directory