Local retrieval-augmented generation system for AI agents using ChromaDB and sentence-transformers, supporting multi-agent shared memory and privacy controls.
Security Analysis
medium confidenceThe package is broadly coherent with a local RAG/memory tool, but it asks to modify agent config and install persistent components (an OpenClaw plugin with auto-injection and an HTTP server) in ways that could unexpectedly expose private memory — review before installing.
The name and SKILL.md describe a local RAG/memory system (ChromaDB + sentence-transformers) and the included files implement that. Files, CLI commands, and server code are consistent with the stated purpose. Note: the package writes to ~/.openclaw, installs CLI scripts into ~/.local/bin, and updates openclaw.json to register an OpenClaw plugin — these side effects are aligned with integrating with OpenClaw but are consequential (see persistence/privilege).
The runtime instructions and code go well beyond a simple search tool: they create a Python venv (~/.openclaw/rag-env), install Python packages, create persistent DB directories (~/.openclaw/chroma-db), copy scripts to ~/.local/bin, and automatically update the OpenClaw config file (openclaw.json) to enable a plugin. The server component enables CORS '*' and can be bound to 0.0.0.0, which — combined with the ability to turn off public-only filtering via RECALL_ALLOW_PRIVATE — could expose private indexed data. The CLI's setup function enables the plugin with autoRecall: true by default, which will inject retrieved memories into agent messages automatically.
There is no packaged install spec (instruction-only), but the setup script runs pip installs inside a per-user venv (chromadb, sentence-transformers) and writes files into the user's home directories. Dependencies are pulled from PyPI (expected for this purpose), but they are large and will download models (~80MB) and Python packages (~200MB). No suspicious remote downloads from arbitrary servers were observed; network calls to npm registry and PyPI-style installs are present and expected.
The SKILL and code do not request unrelated cloud credentials. The code honors optional env vars (RECALL_WORKSPACE, RECALL_CHROMA_DB, RECALL_VENV, RECALL_PORT/HOST) and a special RECALL_ALLOW_PRIVATE flag that, if set to true, allows API callers to request private memories. That env var is powerful and must be treated as sensitive; however, its presence is explainable by the feature set.
The package persistently modifies user state: it creates directories and binaries under the user's home and programmatically edits openclaw.json to register and enable the jasper-recall plugin (setupOpenClawIntegration). The default setup writes the plugin config with autoRecall enabled, which causes automatic injection of retrieved memories into agent turns — this has privacy implications and increases blast radius. The server component can be bound to external interfaces and sets CORS '*' by default, making accidental external exposure possible if the user enables host 0.0.0.0 or fails to set RECALL_ALLOW_PRIVATE carefully.
Guidance
What to consider before installing: - Review the code and SKILL.md locally. The setup will: create a Python venv (~/.openclaw/rag-env), install Python packages, write CLI scripts to ~/.local/bin, create ~/.openclaw/chroma-db, and modify your openclaw.json to register/enable an OpenClaw plugin. - Back up openclaw.json before running setup. The installer attempts to auto-enable the plugin with autoRecall: true — that will inject memories into agent messages by default. If you don't want that, either skip the OpenClaw integration step or edit openclaw.json to set autoRecall: false. - The included HTTP server enables CORS '*' and can bind to 0.0.0.0. Only run the server on localhost (127.0.0.1) unless you explicitly understand and control network exposure. Do not set RECALL_ALLOW_PRIVATE=true in environments where untrusted callers can reach the server. - The tool indexes files under ~/.openclaw/workspace/memory by default. Ensure no sensitive secrets (API keys, private PII) are present in those files, or use the privacy-check tool included to scan before syncing shared memory. - If you want to evaluate safely, run setup and the service inside an isolated environment (container or VM) first, or run the scripts manually instead of the full setup command. Confirm the pip installs and any model downloads are acceptable for your environment. - If you lack time to audit everything: treat this package as functional but with privacy-sensitive defaults (autoRecall + server CORS). Consider it 'suspicious' until you explicitly opt-in to the persistent changes and verify configuration.
Latest Release
v0.4.0
Moltbook agent setup/verify: configure sandboxed agents with --public-only restriction
More by @emberDesire
Published by @emberDesire on ClawHub
