Is chromadb-memory safe?
https://clawhub.ai/msensintaffar/chromadb-memory
This ChromaDB memory plugin is functionally legitimate and well-engineered, providing semantic memory search backed by local Ollama embeddings and ChromaDB. However, its auto-recall feature creates a significant indirect prompt injection surface by automatically injecting unsanitized ChromaDB document content into the agent's context on every turn. If the ChromaDB collection contains poisoned documents (from untrusted indexing sources, shared environments, or compromised data pipelines), an attacker achieves persistent, automatic prompt injection. The configurable HTTP endpoints also mean a compromised config could silently exfiltrate all user messages.
Category Scores
Findings (10)
HIGH Unsanitized auto-recall context injection -25 ▶
The auto-recall feature injects raw ChromaDB document content into the agent's context via
MEDIUM Error message injection into agent context -5 ▶
When ChromaDB queries fail, the error message (which may contain attacker-controlled content from a malicious ChromaDB server) is injected into the agent's context via
MEDIUM User messages sent to configurable HTTP endpoints every turn -20 ▶
With autoRecall enabled (default), every user message is sent to Ollama for embedding and then to ChromaDB for querying. While defaults are localhost, the URLs are fully configurable. A compromised or malicious configuration could redirect all user messages to an external attacker-controlled server, effectively exfiltrating every conversation.
MEDIUM Sensitive file access during gateway restart -15 ▶
The install process triggers a gateway restart that reads .env, .aws/credentials, auth-profiles.json, .profile, and .bashrc. While this is likely the OpenClaw gateway's normal behavior rather than the skill's code, the skill's install instructions explicitly trigger this restart, causing these sensitive files to be read into the process that then executes the skill's code.
MEDIUM Executable plugin code installed to gateway extensions -25 ▶
The skill installs TypeScript code that runs inside the OpenClaw gateway process. This code has access to the full plugin API, can make arbitrary HTTP requests, and registers event handlers that run on every agent turn. The code itself appears benign but the execution model grants significant privileges.
LOW Outbound HTTP to configurable endpoints -15 ▶
The plugin makes HTTP POST requests to two configurable URLs (chromaUrl and ollamaUrl) using fetch(). While the defaults point to localhost services, these could be reconfigured to any endpoint.
LOW AWS credentials file opened during install -10 ▶
The .aws/credentials file was opened during the gateway restart triggered by installation. This appears to be the OpenClaw gateway's normal AWS credential resolution rather than the skill itself, but it means the gateway process (which now runs this plugin's code) has access to AWS credentials in memory.
HIGH ChromaDB collection poisoning enables persistent prompt injection -45 ▶
The most significant risk of this skill is that it creates a persistent, automated bridge between ChromaDB contents and the agent's context. Anyone who can write documents to the ChromaDB collection can inject arbitrary content into the agent's context on every turn. In multi-user environments, shared collections, or scenarios where untrusted data is indexed, this becomes a severe prompt injection vector. The attack is persistent (survives across sessions) and automatic (no user action required).
INFO No hidden unicode, HTML comments, or obfuscation detected 0 ▶
The SKILL.md and all source files are clean of invisible unicode characters, HTML comment tricks, markdown obfuscation, or hidden instructions. The skill's documentation accurately describes what the code does.
INFO No install scripts, git hooks, submodules, or symlinks 0 ▶
The skill has no package.json with install scripts, no git hooks, no git submodules, and no symlinks. Code execution is limited to the plugin runtime context.