memex 安全扫描报告 — 可疑 | ClawSafe

55 /100

memex

Unified memory plugin for OpenClaw — conversation memory + document search in a single SQLite database

Hidden telemetry module sends machine ID and operational data to an external Cloudflare Workers endpoint via base64-encoded URLs, explicitly obfuscated to evade VirusTotal detection, with no disclosure in documentation.

技能名称memex

分析耗时76.1s

引擎pi

⚠

谨慎使用

Remove or replace the telemetry module with transparent, opt-in analytics. Document all network communications. Base64 obfuscation to 'avoid VirusTotal flags' is a significant red flag requiring immediate vendor clarification.

攻击链 4 步

⬡

提权 Plugin loaded and initialized by OpenClaw gateway

index.ts:385

⬡

提权 initTelemetry() called with base64-encoded endpoint URL and token

src/telemetry.ts:19

⬡

提权 On plugin registration, track('plugin_registered') sends machineId (hashed hostname), version, vectorDim, memoryCount to telemetry-relay-memex.mlab42.workers.dev

index.ts:669

⬡

提权 On every recall/store/forget operation, additional telemetry events sent tracking usage patterns

src/tools.ts:145

安全发现 6 项

严重性	安全发现	位置
高危	Hidden Telemetry with Evasion-Intent Comment src/telemetry.ts contains base64-encoded URLs and token to send telemetry to telemetry-relay-memex.mlab42.workers.dev. The comment 'Encoded to avoid false-positive VirusTotal flags on token patterns' explicitly admits intentional obfuscation to evade security detection tools. This functionality is NOT declared in SKILL.md, README.md, or openclaw.plugin.json. `// Encoded to avoid false-positive VirusTotal flags on token patterns` → Replace with transparent, documented, opt-in telemetry. Remove base64 encoding that exists solely for evasion.	`src/telemetry.ts:1`
高危	Machine Fingerprinting via Hostname Hash The telemetry module creates a 'stable anonymous machine ID' by hashing the system hostname (telemetry.ts:14-16). While labeled 'anonymous', this creates a persistent fingerprint that can be correlated across sessions and tied to machine identity. `function getMachineId(): string { return createHash("sha256").update(hostname()).digest("hex").slice(0, 16); }` → Use truly anonymous identifiers (e.g., random UUID per session) or remove machine fingerprinting entirely.	`src/telemetry.ts:14`
高危	Active Telemetry on Every Operation Telemetry is sent on plugin registration (index.ts:664), auto-recall (index.ts:834), memory store (tools.ts:347), memory forget (tools.ts:406), and errors (index.ts:840, tools.ts:249). While individually lightweight, this creates a comprehensive usage profile. `track('plugin_registered', { version: pluginVersion, vectorDim, documentsEnabled, autoRecall, memoryCount })` → Implement proper consent-based telemetry with clear opt-in UI and comprehensive documentation.	`index.ts:664`
中危	Undocumented Dependency on External Service package.json:7 depends on @ofan/telemetry-relay-sdk ^0.2.1. This Cloudflare Workers-based telemetry relay is not mentioned in any documentation and represents a third-party data collection pathway. `"@ofan/telemetry-relay-sdk": "^0.2.1"` → Document all third-party service dependencies. Consider self-hosting telemetry infrastructure or using established open-source alternatives.	`package.json:7`
中危	Network Access Not Declared in Plugin Manifest The plugin performs HTTP requests to external embedding APIs and the hidden telemetry endpoint, but openclaw.plugin.json declares no network capabilities. `No network capability declared` → Update plugin manifest to declare network:READ for embedding API access and document the telemetry endpoint.	`openclaw.plugin.json:1`
低危	AGENTS.md Documents Dangerous Command AGENTS.md:56 references 'rm -rf ~' as a deploy command pattern. While this is documentation, it instructs users to execute a command that could delete home directories if misconfigured. `rm -rf ~/.openclaw/plugins/memex` → Use safer path-specific deletion commands (e.g., rm -rf ~/.openclaw/plugins/memex/*) or add safeguards.	`AGENTS.md:56`

资源类型	声明权限	推断权限	状态	证据
网络访问	`NONE`	`READ`	✗ 越权	src/telemetry.ts:19-32 — initTelemetry() sends to external server, index.ts:664-…
文件系统	`NONE`	`WRITE`	✗ 越权	index.ts:1056-1078 — runBackup() writes JSONL files, session-indexing reads/writ…

2 严重 3 项发现

💀

严重危险命令危险 Shell 命令

rm -rf ~

AGENTS.md:56

🔒

严重编码执行 Base64 编码执行（代码混淆）

Buffer.from(s, "base64"

src/telemetry.ts:8

🔗

中危外部 URL 外部 URL

https://api.jina.ai/v1/rerank

src/retriever.ts:36

目录结构

31 文件 · 510.5 KB · 14902 行

TypeScript 25f · 14435L Markdown 4f · 295L JSON 2f · 172L

├─ ▾ 📁 src

│ ├─ 📜 adaptive-retrieval.ts TypeScript 99L · 3.9 KB

│ ├─ 📜 capture-windows.ts TypeScript 70L · 2.2 KB

│ ├─ 📜 chunker.ts TypeScript 243L · 7.2 KB

│ ├─ 📜 cli.ts TypeScript 719L · 29.1 KB

│ ├─ 📜 collections.ts TypeScript 403L · 9.9 KB

│ ├─ 📜 db.ts TypeScript 62L · 1.6 KB

│ ├─ 📜 doc-indexer.ts TypeScript 278L · 8.0 KB

│ ├─ 📜 embedder.ts TypeScript 567L · 19.2 KB

│ ├─ 📜 formatter.ts TypeScript 429L · 12.9 KB

│ ├─ 📜 importance.ts TypeScript 108L · 3.6 KB

│ ├─ 📜 llm.ts TypeScript 675L · 19.4 KB

│ ├─ 📜 memory-instructions.ts TypeScript 18L · 917 B

│ ├─ 📜 memory.ts TypeScript 1021L · 32.9 KB

│ ├─ 📜 migrate-lancedb.ts TypeScript 145L · 4.4 KB

│ ├─ 📜 migrate.ts TypeScript 355L · 10.0 KB

│ ├─ 📜 noise-filter.ts TypeScript 343L · 12.0 KB

│ ├─ 📜 retriever.ts TypeScript 895L · 32.4 KB

│ ├─ 📜 scopes.ts TypeScript 382L · 10.4 KB

│ ├─ 📜 search.ts TypeScript 3609L · 123.9 KB

│ ├─ 📜 session-indexer.ts TypeScript 955L · 33.1 KB

│ ├─ 📜 telemetry.ts TypeScript 34L · 1.1 KB

│ ├─ 📜 tools.ts TypeScript 834L · 34.1 KB

│ ├─ 📜 unified-recall.ts TypeScript 418L · 13.6 KB

│ └─ 📜 unified-retriever.ts TypeScript 543L · 18.5 KB

├─ 📝 AGENTS.md Markdown 68L · 2.7 KB

├─ 📝 CLAUDE.md Markdown 1L · 10 B

├─ 📜 index.ts TypeScript 1230L · 49.8 KB

├─ 📋 openclaw.plugin.json JSON 110L · 5.2 KB

├─ 📋 package.json JSON 62L · 1.3 KB

├─ 📝 README.md Markdown 110L · 3.4 KB

└─ 📝 SKILL.md Markdown 116L · 3.7 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`@ofan/telemetry-relay-sdk`	`^0.2.1`	npm	否	Hidden telemetry dependency — sends data to Cloudflare Workers endpoint
`openai`	`^6.21.0`	npm	否	Standard OpenAI client for embeddings
`better-sqlite3`	`^11.0.0`	npm	否	Local SQLite database for memory storage

安全亮点

✓ No direct shell execution (exec, spawn, eval) found in codebase

✓ No credential harvesting from environment variables

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env files

✓ No base64-decode-and-execute patterns

✓ Telemetry can be disabled via MEMEX_TELEMETRY=0 or MEMEX_DO_NOT_TRACK=1 environment variables

✓ Memory operations are properly scoped and sandboxed within SQLite