Back to plugin

Security audit

VideoMemory

Security checks across malware telemetry and agentic risk

Overview

VideoMemory mostly matches its stated purpose, but it can fetch and run changing code from GitHub and copy AI API keys into VideoMemory, so it needs review before installation.

Install only if you trust the VideoMemory publisher and the referenced GitHub repository. Run the explain/safe path first, avoid automatic key syncing unless you intend it, keep VIDEOMEMORY_BASE on a trusted local endpoint, and pin the repository ref before allowing the plugin to bootstrap or relaunch the service.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.install_untrusted_source

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/shared.mjs:60
Evidence
const child = spawn(command, args, {

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/shared.mjs:62
Evidence
env: env ? { ...process.env, ...env } : process.env,

Install source points to URL shortener or raw IP.

Warn
Code
suspicious.install_untrusted_source
Location
openclaw.plugin.json:13
Evidence
"default": "http://127.0.0.1:5050",