ClawHub

mnemospark

Security checks across malware telemetry and agentic risk

Overview

This plugin appears purpose-built for Mnemospark wallet and cloud storage workflows, but it automatically changes OpenClaw execution policy and handles wallet/private-key/payment actions with too little runtime user control.

Install only if you are comfortable with a plugin that can start a local proxy, use or create an EVM wallet key, interact with Mnemospark backend services, upload/download/delete stored data, settle payments, and modify OpenClaw agent/exec-approval configuration. Review the automatic runbook behavior, consider setting MNEMOSPARK_DISABLE_OPENCLAW_PREREQ=1 if you do not want config mutation, and avoid wallet export unless you can protect terminal output and logs.

Publisher note

OpenClaw shows a warning about dangerous code patterns when installing or updating mnemospark—often mentioning shell execution (child_process), environment variables, and network access—here is what is going on. mnemospark is an OpenClaw plugin that talks to your configured mnemospark backend, runs a local HTTP proxy for storage workflows, and can invoke the openclaw CLI and system tools when needed (for example creating archives with tar or running npm when you use the update command). Those features use the same low-level Node.js APIs—child_process and fetch—that security tools also associate with risky software, so the installer may warn you even when the behavior is intentional and benign. We also read environment variables you set on purpose (such as MNEMOSPARK_BACKEND_API_BASE_URL, MNEMOSPARK_PROXY_PORT, or wallet-related settings) so you can configure the plugin without editing code. Automated scans sometimes flag “environment access + network” as a possible credential-stealing pattern. In mnemospark, that combination exists because the plugin is configurable and networked by design, not because we are harvesting your unrelated secrets. mnemospark is open source. If you want extra assurance, review the repository, search for child_process, process.env, and fetch, and run your own tests in a safe environment. The warning helps keep the ecosystem safe; for mnemospark it reflects capabilities, not a finding of malicious intent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (72)

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The documentation says ls-web will run ls in list mode with 'identical output', but the implementation does more than that: after listing objects it also requests a web session and appends a browse URL and expiration details to the response. This is an active contradiction in the user-facing help text, not merely omitted detail.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The wallet help presents the wallet command group as status-oriented and benign, but the same documented command set includes `/mnemospark wallet export`, which outputs the raw private key in plaintext. That directly diverges from the apparent intent conveyed by the surrounding help text and elevates the sensitivity of the command group beyond what the description suggests.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The auth documentation explicitly states that the wallet key is 'NEVER transmitted over the network, only used locally for signing'. However, the same codebase includes wallet export behavior that renders the raw private key and an `export MNEMOSPARK_WALLET_KEY=...` command to stdout, which directly exposes the secret outside the local signing boundary described by the comments. This is an active contradiction between stated intent and implemented behavior.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The doc comment says the local proxy 'only forwards mnemospark storage endpoints' and 'does not handle chat completions or model routing.' In the same file, the plugin surface clearly includes model/provider registration support and provider auth types, creating an intent-level contradiction about whether this skill is purely a storage proxy or also participates in broader model-provider/plugin routing concerns.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The documented skill purpose in this file centers on wallet commands, cloud storage commands, and a local storage proxy. However, ensureOpenClawRenewalPrerequisites is documented to modify OpenClaw agent configuration and merge exec approvals for a node binary, which is a host-configuration and execution-policy capability beyond a normal storage proxy or wallet command role.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
RenewalAgentListEntry and runbookDedicatedAgentEntry define tool-deny lists and exec approval behavior for dedicated agents. Managing agent exec policy is a powerful orchestration capability that is not justified by the nearby documentation describing a plugin for wallet/cloud storage commands and a storage-endpoint proxy.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The help text says ls-web will 'run `ls` in list mode (identical output)', which implies the same output as ls. In code, the ls-web handler first performs ls and then also requests a web session and appends a browse URL plus expiry information to the response, so the documented intent actively contradicts the actual behavior.

Intent-Code Divergence

High
Confidence
90% confidence
Finding
The user-facing root help presents the extension as something the user can point an agent at via the bundled skill file. Elsewhere, plugin registration automatically invokes prerequisite setup that edits OpenClaw configuration and exec approval files to add agents and allow `/usr/bin/node`, which is a materially different and more invasive behavior than the help text suggests.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The auth module documentation states that the wallet private key is used to sign x402 micropayments for LLM inference and says this is the intentional required behavior. However, elsewhere in the same bundled source the key is also used to sign storage endpoint requests, payment settlement, and to start a local proxy for mnemospark cloud operations, which is broader than the documented purpose. This is an active contradiction in intent documentation, not merely missing detail.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The proxy source documentation describes a narrowly scoped local mnemospark proxy that forwards storage endpoints and excludes chat completions or model routing. In the same bundled skill file, there is substantial additional functionality for wallet auth, x402 micropayment signing, balance checks, and provider command handling, so the documented overall intent presented in this file is narrower than the actual bundled behavior. Because this is a bundled source map, the contradiction is weaker than a single-module mismatch but still present at the file/documentation level.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells users to run `openclaw plugins install mnemospark --dangerously-force-unsafe-install`, which is a safety-relevant action because it bypasses normal install safeguards. Although the document later explains why security tools may warn, there is no immediate warning in the quick-start step itself telling users they are overriding protections and should only do this if they trust the source.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README exposes `/mnemospark cloud delete` as a core command, but the surrounding documentation does not warn that deleting an object may permanently remove stored data. For markdown files, safety-impacting behaviors that affect user data should be clearly disclosed so users understand the consequence before invoking the command.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code performs local configuration writes to the user's OpenClaw setup, including updating agent lists and exec allowlists, but there is no confirmation prompt or direct user-facing disclosure in this function before modifying those files. Although callers may invoke it during install/update flows, the write path itself is safety-relevant because it changes local execution policy and trusted command allowlists.

Missing User Warnings

High
Confidence
96% confidence
Finding
The wallet export handler reveals a highly sensitive private key directly in terminal output, which can be captured by shell history tools, logs, screenshots, or remote sessions. While the response text contains a warning, there is no confirmation prompt or stronger disclosure barrier before exposing the secret.

Natural-Language Policy Violations

Low
Confidence
94% confidence
Finding
This source map embeds extensive natural-language help, status, and error text such as command guidance, wallet instructions, and onboarding copy entirely in English. Under the stated policy, forcing a specific language without user opt-in is a natural-language policy violation, even when it appears inside bundled code strings.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This code generates a new wallet private key and writes it to ~/.openclaw/mnemospark/wallet/wallet.key, which is a safety-critical file write involving credentials. Although wallet export later warns users, this write path itself lacks an in-code confirmation prompt or immediate user-facing disclosure/comment indicating that a new private key will be persisted to disk automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prerequisite setup code updates OpenClaw agent configuration and writes ~/.openclaw/exec-approvals.json, affecting local execution policy and system behavior. These are safety-relevant file modifications, but the code path performs them silently aside from internal control flow, without a confirmation prompt or explicit user-facing disclosure at execution time.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
This function creates directories and writes downloaded content to a local file path, which is a safety-critical file write. While the command purpose implies downloading, there is no direct user-facing disclosure here about the exact local write location before the write occurs, only a success message afterward.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This manifest defines a `walletKey` configuration field for an EVM private key and mentions environment-variable and command-based setup, but it does not include any warning about the sensitivity of the secret, risks of exposure, or consequences of using an auto-generated wallet. For manifest files, this kind of user-facing description is the primary place to disclose sensitive credential handling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This markdown file documents a `cloud delete` command that can remove stored objects, but it does not warn the user that the action is destructive or recommend confirmation before use. Under the markdown-file criteria for SQP-2, omission of warnings about behaviors that could affect user data or system integrity is a reportable issue.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill description covers backing up files to cloud storage, uploading objects, and downloading them, but it does not disclose privacy or data-handling implications to the user. For markdown files, SQP-2 applies when descriptions omit warnings about behavior affecting user data or privacy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This markdown file documents a `cloud delete` operation, which can affect user data and system integrity, but provides no warning, confirmation note, or cautionary language near the command. Under the markdown-file criteria for missing user warnings, destructive behavior should be disclosed so users understand the risk before invoking it.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The payment settlement examples require `--wallet-address` and perform settlement actions, but the documentation does not warn users that these operations may affect funds or trigger payment-related transactions. For markdown skills, behaviors affecting user assets or sensitive account context should include a brief user-facing warning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This markdown file describes an interactive/manual workflow and explicitly recommends a configuration where command execution approval is turned off. Because disabling approvals can affect system integrity and reduce user oversight for command execution, the documentation should include a clear warning about that risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This shell script outputs full JSON rows from the operations, objects, and payments tables, including fields such as wallet_address, amount, trans_id, and error details. Although the script is a debugger, there is no user-facing warning, confirmation, or caution that running it will expose potentially sensitive operational and payment data to the terminal.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal