安全决策报告
memex
Hidden telemetry module sends machine ID and operational data to an external Cloudflare Workers endpoint via base64-encoded URLs, explicitly obfuscated to evade VirusTotal detection, with no disclosure in documentation.
最直接的威胁证据
01
Plugin loaded and initialized by OpenClaw gateway reconnaissance · index.ts
02
initTelemetry() called with base64-encoded endpoint URL and token 权限提升 · src/telemetry.ts
03
On plugin registration, track('plugin_registered') sends machineId (hashed hostname), version, vectorDim, memoryCount to telemetry-relay-memex.mlab42.workers.dev 数据外泄 · index.ts
为什么得出这个结论
3/4 个维度触发 阻止
声明与实际能力
发现 2 项声明之外的能力或越权行为。
阻止
隐藏执行与外联
提取到 2 个高危 IOC 或外联信号。
阻止
攻击链与高危发现
报告包含 4 步攻击链,另有 3 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
攻击链
01
Plugin loaded and initialized by OpenClaw gateway
reconnaissance · index.ts:385
02
initTelemetry() called with base64-encoded endpoint URL and token
权限提升 · src/telemetry.ts:19
03
On plugin registration, track('plugin_registered') sends machineId (hashed hostname), version, vectorDim, memoryCount to telemetry-relay-memex.mlab42.workers.dev
数据外泄 · index.ts:669
04
On every recall/store/forget operation, additional telemetry events sent tracking usage patterns
数据外泄 · src/tools.ts:145
风险分是怎么被拉高的
Undeclared network exfiltration +25
Telemetry sends data to https://telemetry-relay-memex.mlab42.workers.dev — not mentioned anywhere in SKILL.md or openclaw.plugin.json
Intentional obfuscation to evade security tools +20
src/telemetry.ts:1 contains comment 'Encoded to avoid false-positive VirusTotal flags on token patterns' — explicit admission of evasion intent
Machine fingerprinting via hostname hashing +10
telemetry.ts:14-16 hashes hostname to create 'anonymous' machine ID, sent on every plugin registration and operation
最关键的证据
高危
Hidden Telemetry with Evasion-Intent Comment
src/telemetry.ts contains base64-encoded URLs and token to send telemetry to telemetry-relay-memex.mlab42.workers.dev. The comment 'Encoded to avoid false-positive VirusTotal flags on token patterns' explicitly admits intentional obfuscation to evade security detection tools. This functionality is NOT declared in SKILL.md, README.md, or openclaw.plugin.json.
src/telemetry.ts:1 Replace with transparent, documented, opt-in telemetry. Remove base64 encoding that exists solely for evasion.
高危
Machine Fingerprinting via Hostname Hash
The telemetry module creates a 'stable anonymous machine ID' by hashing the system hostname (telemetry.ts:14-16). While labeled 'anonymous', this creates a persistent fingerprint that can be correlated across sessions and tied to machine identity.
src/telemetry.ts:14 Use truly anonymous identifiers (e.g., random UUID per session) or remove machine fingerprinting entirely.
高危
Active Telemetry on Every Operation
Telemetry is sent on plugin registration (index.ts:664), auto-recall (index.ts:834), memory store (tools.ts:347), memory forget (tools.ts:406), and errors (index.ts:840, tools.ts:249). While individually lightweight, this creates a comprehensive usage profile.
index.ts:664 Implement proper consent-based telemetry with clear opt-in UI and comprehensive documentation.
中危
Undocumented Dependency on External Service
package.json:7 depends on @ofan/telemetry-relay-sdk ^0.2.1. This Cloudflare Workers-based telemetry relay is not mentioned in any documentation and represents a third-party data collection pathway.
package.json:7 Document all third-party service dependencies. Consider self-hosting telemetry infrastructure or using established open-source alternatives.
中危
Network Access Not Declared in Plugin Manifest
The plugin performs HTTP requests to external embedding APIs and the hidden telemetry endpoint, but openclaw.plugin.json declares no network capabilities.
openclaw.plugin.json:1 Update plugin manifest to declare network:READ for embedding API access and document the telemetry endpoint.
低危
AGENTS.md Documents Dangerous Command
AGENTS.md:56 references 'rm -rf ~' as a deploy command pattern. While this is documentation, it instructs users to execute a command that could delete home directories if misconfigured.
AGENTS.md:56 Use safer path-specific deletion commands (e.g., rm -rf ~/.openclaw/plugins/memex/*) or add safeguards.
声明能力 vs 实际能力
网络访问 阻止
声明 NONE
→ 推断 READ
src/telemetry.ts:19-32 — initTelemetry() sends to external server, index.ts:664-672 sends plugin_registered event 文件系统 阻止
声明 NONE
→ 推断 WRITE
index.ts:1056-1078 — runBackup() writes JSONL files, session-indexing reads/writes 可疑产物与外联
严重 危险命令
rm -rf ~ AGENTS.md:56
严重 编码执行
Buffer.from(s, "base64" src/telemetry.ts:8
中危 外部 URL
https://api.jina.ai/v1/rerank src/retriever.ts:36
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @ofan/telemetry-relay-sdk | ^0.2.1 | npm | 否 | Hidden telemetry dependency — sends data to Cloudflare Workers endpoint |
| openai | ^6.21.0 | npm | 否 | Standard OpenAI client for embeddings |
| better-sqlite3 | ^11.0.0 | npm | 否 | Local SQLite database for memory storage |
文件构成
31 个文件 · 14902 行
TypeScript 25 个文件 · 14435 行Markdown 4 个文件 · 295 行JSON 2 个文件 · 172 行
需关注文件 · 2
index.ts Active Telemetry on Every Operation
src/retriever.ts https://api.jina.ai/v1/rerank
其他文件 · search.ts · tools.ts · session-indexer.ts · memory.ts · cli.ts · llm.ts +4
安全亮点
No direct shell execution (exec, spawn, eval) found in codebase
No credential harvesting from environment variables
No access to sensitive paths like ~/.ssh, ~/.aws, or .env files
No base64-decode-and-execute patterns
Telemetry can be disabled via MEMEX_TELEMETRY=0 or MEMEX_DO_NOT_TRACK=1 environment variables
Memory operations are properly scoped and sandboxed within SQLite