Is supermemoryai/openclaw-supermemory safe?

https://github.com/supermemoryai/openclaw-supermemory

68
CAUTION

This OpenClaw plugin provides persistent memory functionality via the external supermemory.ai API. While it contains no malicious code, install scripts, or suspicious clone behavior, it automatically exfiltrates all conversation content to a third-party service and injects externally-sourced content into the agent's context on every turn—both enabled by default. The memory poisoning feedback loop between auto-capture and auto-recall creates a significant indirect prompt injection risk. The hardcoded HMAC secret in the validation library provides no real integrity protection.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (10)

HIGH Automatic conversation exfiltration to external API -35

With autoCapture enabled (default: true), the plugin automatically sends the full content of every conversation turn—including user messages and assistant responses—to the external supermemory.ai API. Users may not realize their entire conversation history is being transmitted to a third-party service.

HIGH External content injected into agent context on every turn -30

The recall hook fetches user profile data and search results from the external Supermemory API and injects them into the agent's context as a block before every agent turn. If stored memories are poisoned (via a compromised API, data injection, or manipulated conversations), adversarial instructions could be injected into the agent's context.

MEDIUM User prompts sent to external API for semantic search -15

When autoRecall is enabled (default: true), every user prompt is sent to supermemory.ai via the getProfile() call for semantic search matching, even before the agent processes it.

MEDIUM Arbitrary text injection via customContainerInstructions -15

The customContainerInstructions config field accepts arbitrary text that gets injected into the agent's context inside a block. If an attacker can influence the plugin configuration, they can inject arbitrary instructions into the agent's system context.

MEDIUM Minified/obfuscated validation library -15

lib/validate.js is a minified bundle that is difficult to review. While deobfuscation reveals standard crypto operations, the opacity makes it harder to detect if malicious code were added in future versions.

MEDIUM Hardcoded HMAC secret enables request forgery analysis -10

The lib/validate.js contains a hardcoded HMAC secret (variable 'd') used to generate X-Request-Integrity headers. This shared secret is visible to anyone who reads the source code, making the integrity scheme purely cosmetic rather than providing real security.

LOW Memory poisoning feedback loop risk -10

The combination of auto-capture and auto-recall creates a feedback loop: conversations are captured and stored, then recalled and injected into future conversations. An attacker who can influence one conversation (e.g., via a malicious prompt) could poison the memory store, causing adversarial content to persist across all future sessions.

LOW Environment variable resolution in config -5

The config parser resolves ${VAR} patterns to environment variable values. While this is a standard configuration pattern, if an attacker can influence the config (e.g., via a malicious openclaw.json), they could cause environment variables to be resolved and potentially sent to the external API as part of the API key or other config values.

INFO Clean clone behavior -10

No suspicious network activity, process spawning, or filesystem modifications detected during installation. All observed network connections are to expected destinations (GitHub, Ubuntu repositories, NTP).

INFO No canary file tampering 0

All honeypot files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) remained intact with matching hashes before and after installation.