Skill Trust Decision

memex

Name: memex Trust Review Report
Item: memex
Rating: 45
Author: ClawSafe

Hidden telemetry module sends machine ID and operational data to an external Cloudflare Workers endpoint via base64-encoded URLs, explicitly obfuscated to evade VirusTotal detection, with no disclosure in documentation.

Install decision first Source: Manual upload Scanned: Apr 3, 2026

Files 31

Artifacts 3

Violations 2

Findings 6

Most direct threat evidence

Plugin loaded and initialized by OpenClaw gateway reconnaissance · index.ts

initTelemetry() called with base64-encoded endpoint URL and token Escalation · src/telemetry.ts

On plugin registration, track('plugin_registered') sends machineId (hashed hostname), version, vectorDim, memoryCount to telemetry-relay-memex.mlab42.workers.dev Exfiltration · index.ts

Why this conclusion was reached

3/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Block

Hidden execution and egress

2 high-risk artifacts or egress signals were extracted.

Block

Attack chain and severe findings

The report includes 4 attack-chain steps and 3 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

Attack Chain

Plugin loaded and initialized by OpenClaw gateway

reconnaissance · index.ts:385

initTelemetry() called with base64-encoded endpoint URL and token

Escalation · src/telemetry.ts:19

On plugin registration, track('plugin_registered') sends machineId (hashed hostname), version, vectorDim, memoryCount to telemetry-relay-memex.mlab42.workers.dev

Exfiltration · index.ts:669

On every recall/store/forget operation, additional telemetry events sent tracking usage patterns

Exfiltration · src/tools.ts:145

What drove the risk score up

Undeclared network exfiltration +25

Telemetry sends data to https://telemetry-relay-memex.mlab42.workers.dev — not mentioned anywhere in SKILL.md or openclaw.plugin.json

Intentional obfuscation to evade security tools +20

src/telemetry.ts:1 contains comment 'Encoded to avoid false-positive VirusTotal flags on token patterns' — explicit admission of evasion intent

Machine fingerprinting via hostname hashing +10

telemetry.ts:14-16 hashes hostname to create 'anonymous' machine ID, sent on every plugin registration and operation

Most important evidence

High

Hidden Telemetry with Evasion-Intent Comment

src/telemetry.ts contains base64-encoded URLs and token to send telemetry to telemetry-relay-memex.mlab42.workers.dev. The comment 'Encoded to avoid false-positive VirusTotal flags on token patterns' explicitly admits intentional obfuscation to evade security detection tools. This functionality is NOT declared in SKILL.md, README.md, or openclaw.plugin.json.

src/telemetry.ts:1

Replace with transparent, documented, opt-in telemetry. Remove base64 encoding that exists solely for evasion.

High

Machine Fingerprinting via Hostname Hash

The telemetry module creates a 'stable anonymous machine ID' by hashing the system hostname (telemetry.ts:14-16). While labeled 'anonymous', this creates a persistent fingerprint that can be correlated across sessions and tied to machine identity.

src/telemetry.ts:14

Use truly anonymous identifiers (e.g., random UUID per session) or remove machine fingerprinting entirely.

High

Active Telemetry on Every Operation

Telemetry is sent on plugin registration (index.ts:664), auto-recall (index.ts:834), memory store (tools.ts:347), memory forget (tools.ts:406), and errors (index.ts:840, tools.ts:249). While individually lightweight, this creates a comprehensive usage profile.

index.ts:664

Implement proper consent-based telemetry with clear opt-in UI and comprehensive documentation.

Medium

Undocumented Dependency on External Service

package.json:7 depends on @ofan/telemetry-relay-sdk ^0.2.1. This Cloudflare Workers-based telemetry relay is not mentioned in any documentation and represents a third-party data collection pathway.

package.json:7

Document all third-party service dependencies. Consider self-hosting telemetry infrastructure or using established open-source alternatives.

Medium

Network Access Not Declared in Plugin Manifest

The plugin performs HTTP requests to external embedding APIs and the hidden telemetry endpoint, but openclaw.plugin.json declares no network capabilities.

openclaw.plugin.json:1

Update plugin manifest to declare network:READ for embedding API access and document the telemetry endpoint.

Low

AGENTS.md Documents Dangerous Command

AGENTS.md:56 references 'rm -rf ~' as a deploy command pattern. While this is documentation, it instructs users to execute a command that could delete home directories if misconfigured.

AGENTS.md:56

Use safer path-specific deletion commands (e.g., rm -rf ~/.openclaw/plugins/memex/*) or add safeguards.

Declared capability vs actual capability

Network Block

Declared NONE

→

Inferred READ

src/telemetry.ts:19-32 — initTelemetry() sends to external server, index.ts:664-672 sends plugin_registered event

Filesystem Block

Declared NONE

→

Inferred WRITE

index.ts:1056-1078 — runBackup() writes JSONL files, session-indexing reads/writes

Suspicious artifacts and egress

Critical Dangerous Command

rm -rf ~

AGENTS.md:56

Critical Encoded Execution

Buffer.from(s, "base64"

src/telemetry.ts:8

Medium External URL

https://api.jina.ai/v1/rerank

src/retriever.ts:36

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
@ofan/telemetry-relay-sdk	`^0.2.1`	npm	No	Hidden telemetry dependency — sends data to Cloudflare Workers endpoint
openai	`^6.21.0`	npm	No	Standard OpenAI client for embeddings
better-sqlite3	`^11.0.0`	npm	No	Local SQLite database for memory storage

File composition

31 files · 14902 lines

TypeScript 25 files · 14435 linesMarkdown 4 files · 295 linesJSON 2 files · 172 lines

Files of concern · 2

index.ts TypeScript · 1230 lines

Active Telemetry on Every Operation

src/retriever.ts TypeScript · 895 lines

https://api.jina.ai/v1/rerank

Other files · search.ts · tools.ts · session-indexer.ts · memory.ts · cli.ts · llm.ts +4

31 files · 510.5 KB · 14902 lines

TypeScript 25f · 14435LMarkdown 4f · 295LJSON 2f · 172L

├─ ▾ 📁 src

│ ├─ 📜 adaptive-retrieval.ts TypeScript 99L · 3.9 KB

│ ├─ 📜 capture-windows.ts TypeScript 70L · 2.2 KB

│ ├─ 📜 chunker.ts TypeScript 243L · 7.2 KB

│ ├─ 📜 cli.ts TypeScript 719L · 29.1 KB

│ ├─ 📜 collections.ts TypeScript 403L · 9.9 KB

│ ├─ 📜 db.ts TypeScript 62L · 1.6 KB

│ ├─ 📜 doc-indexer.ts TypeScript 278L · 8.0 KB

│ ├─ 📜 embedder.ts TypeScript 567L · 19.2 KB

│ ├─ 📜 formatter.ts TypeScript 429L · 12.9 KB

│ ├─ 📜 importance.ts TypeScript 108L · 3.6 KB

│ ├─ 📜 llm.ts TypeScript 675L · 19.4 KB

│ ├─ 📜 memory-instructions.ts TypeScript 18L · 917 B

│ ├─ 📜 memory.ts TypeScript 1021L · 32.9 KB

│ ├─ 📜 migrate-lancedb.ts TypeScript 145L · 4.4 KB

│ ├─ 📜 migrate.ts TypeScript 355L · 10.0 KB

│ ├─ 📜 noise-filter.ts TypeScript 343L · 12.0 KB

│ ├─ 📜 retriever.ts TypeScript 895L · 32.4 KB

│ ├─ 📜 scopes.ts TypeScript 382L · 10.4 KB

│ ├─ 📜 search.ts TypeScript 3609L · 123.9 KB

│ ├─ 📜 session-indexer.ts TypeScript 955L · 33.1 KB

│ ├─ 📜 telemetry.ts TypeScript 34L · 1.1 KB

│ ├─ 📜 tools.ts TypeScript 834L · 34.1 KB

│ ├─ 📜 unified-recall.ts TypeScript 418L · 13.6 KB

│ └─ 📜 unified-retriever.ts TypeScript 543L · 18.5 KB

├─ 📝 AGENTS.md Markdown 68L · 2.7 KB

├─ 📝 CLAUDE.md Markdown 1L · 10 B

├─ 📝 README.md Markdown 110L · 3.4 KB

├─ 📝 SKILL.md Markdown 116L · 3.7 KB

├─ 📜 index.ts TypeScript 1230L · 49.8 KB

├─ 📋 openclaw.plugin.json JSON 110L · 5.2 KB

└─ 📋 package.json JSON 62L · 1.3 KB

Security positives

No direct shell execution (exec, spawn, eval) found in codebase

No credential harvesting from environment variables

No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

No base64-decode-and-execute patterns

Telemetry can be disabled via MEMEX_TELEMETRY=0 or MEMEX_DO_NOT_TRACK=1 environment variables

Memory operations are properly scoped and sandboxed within SQLite