Is joeykrug/memory-lancedb-hybrid safe?
https://github.com/openclaw/skills/tree/main/skills/joeykrug/memory-lancedb-hybrid
The joeykrug/memory-lancedb-hybrid skill is a professionally implemented LanceDB memory plugin with hybrid BM25+vector search. SKILL.md contains no prompt injection, all canary honeypot files remain intact, and no unauthorized credential access or unexpected network destinations were detected during installation. The primary security considerations are operational rather than malicious: the plugin intentionally overrides the built-in memory-lancedb plugin by sharing its plugin ID, all memory text is transmitted to the OpenAI Embeddings API as disclosed, and the autoRecall context-injection mechanism creates an indirect prompt injection surface that depends on the integrity of stored memories.
Category Scores
Findings (8)
MEDIUM All memory text transmitted to OpenAI Embeddings API -15 ▶
Every call to memory_store, memory_recall, autoCapture, and autoRecall sends text content to api.openai.com via the OpenAI Embeddings API. This is required for vector search functionality and is disclosed (users must supply an API key), but means any information that enters the memory system — including auto-captured conversation snippets — is transmitted to OpenAI's servers and subject to their data retention policies.
MEDIUM Built-in memory plugin replaced via shared plugin ID -15 ▶
The plugin registers id: 'memory-lancedb', identical to OpenClaw's bundled memory plugin. When loaded via plugins.load.paths with higher precedence, this plugin fully replaces the official implementation. The SKILL.md documents this as intentional design. Users should verify that no security properties of the bundled plugin are lost in the replacement.
MEDIUM Persistent indirect prompt injection surface via autoRecall memory injection -13 ▶
The before_agent_start hook retrieves up to 3 semantically relevant memories and prepends them verbatim into every agent run as
LOW AutoCapture silently collects personal information from conversations -7 ▶
The autoCapture feature uses MEMORY_TRIGGERS regex patterns to identify and store personally identifiable information from conversations without per-capture user confirmation. Patterns include email addresses, phone numbers, and explicit preference/fact statements. This silently builds a persistent user profile stored in LanceDB.
LOW Memory recall injects stored text into agent context without sanitization -7 ▶
Retrieved memories are concatenated as plaintext within XML tags and prepended to agent context. No sanitization or escaping is applied to memory content before injection. While shouldCapture() attempts to filter agent-generated content, sufficiently crafted user messages that pass as natural text could persist as memories and re-inject instructions in future sessions.
LOW Native prebuilt binaries installed via LanceDB npm dependencies -8 ▶
The @lancedb/lancedb package installs platform-specific prebuilt native Node.js addon binaries (e.g., @lancedb/lancedb-linux-x64-gnu). These execute with full native code privileges as Node.js native modules. Mitigated by pinned version and sha512 integrity hashes in package-lock.json and the package's Apache-2.0 license with public source code.
INFO Standard GitHub sparse-checkout clone — no unexpected network activity -10 ▶
Installation performs a shallow git clone of the openclaw/skills monorepo with sparse checkout to extract only the skill subdirectory. Network activity limited to GitHub (140.82.121.3:443). Pre-existing Ubuntu APT connections to 185.125.188.x were already established before the audit began and are unrelated to this skill.
INFO Canary file accesses are exclusively from the audit framework 0 ▶
Honeypot file accesses appearing in the audit log at timestamps 1771909161 (before git clone at 1771909166) and 1771909178 (final audit sweep) are attributed to the oathe audit framework's initialization and integrity verification phases, not to any skill code. The skill source code contains no operations targeting these file paths.