Fix OpenClaw install security-scan false positive

[wey-gu]

Note

Medium Risk
Moderate risk because it changes how the OpenClaw plugin derives ambient space for HTTP fallback/operations by removing process.env access from client.js, which could affect space selection if env-only configuration was relied on. Changes are small and covered by new tests plus a version bump/release notes.

Overview
Bumps the OpenClaw integration/plugin release to 0.8.13 (registry entry, manifest, and npm package metadata) and documents the release in the changelog.

Updates NowledgeMemClient so the HTTP fallback client no longer reads process.env directly (to avoid OpenClaw’s “env + fetch” credential-harvesting scanner), and instead only respects explicitly provided space/spaceId when computing _spaceRef.

Adds a regression test that asserts src/client.js contains fetch() usage but no process.env references.

^{Reviewed by Cursor Bugbot for commit 195d200. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Bug Fixes

  • Resolved plugin installation and update blockage
  • Fixed explicit space configuration preservation
  • Corrected space selection behavior in CLI operations
  • Improved HTTP request routing consistency

• Tests

  • Added security pattern validation tests

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d21ebe9d-284e-4c03-99ba-8b93adfaf66f

📥 Commits

Reviewing files that changed from the base of the PR and between 9e0f820 and 195d200.

⛔ Files ignored due to path filters (1)

• nowledge-mem-openclaw-plugin/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• integrations.json
• nowledge-mem-openclaw-plugin/CHANGELOG.md
• nowledge-mem-openclaw-plugin/openclaw.plugin.json
• nowledge-mem-openclaw-plugin/package.json
• nowledge-mem-openclaw-plugin/src/client.js
• nowledge-mem-openclaw-plugin/tests/space-config.test.mjs

---

📝 Walkthrough

Walkthrough

This is a patch release (0.8.12 → 0.8.13) of the OpenClaw plugin that fixes plugin installation blocking, corrects explicit empty space configuration handling, adjusts HTTP fallback client logic to avoid mixing environment variables with network operations, and adds source-level security test coverage.

Changes

Cohort / File(s)	Summary
Version Bumps integrations.json, nowledge-mem-openclaw-plugin/openclaw.plugin.json, nowledge-mem-openclaw-plugin/package.json	Version field incremented from 0.8.12 to 0.8.13 across registry, plugin manifest, and npm package.
Release Documentation nowledge-mem-openclaw-plugin/CHANGELOG.md	Added version 0.8.13 changelog entry documenting fixes for plugin installation blocking, explicit space configuration preservation, and HTTP fallback client routing adjustments.
Client Logic nowledge-mem-openclaw-plugin/src/client.js	Removed fallback environment variable resolution (NMEM_SPACE / NMEM_SPACE_ID) when credentials are not explicitly provided; _spaceRef now resolves to empty string instead.
Security Test Coverage nowledge-mem-openclaw-plugin/tests/space-config.test.mjs	Added source-level security scan verifying client source contains fetch() calls while explicitly excluding process.env usage patterns.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Prepare OpenClaw, Hermes, and Cursor integrations for release #174 — Both PRs modify OpenClaw integration and plugin metadata including version bumps across registry and manifest files.
• feat(Droid): Add native Droid plugin for Nowledge Mem #120 — Both PRs modify the nowledge-mem-openclaw-plugin including changes to src/client.js and plugin version updates.

Poem

🐰 A patch hops through the code today,
Space configs find their proper way—
No more env vars mixed with nets,
Just clean paths that won't upset!
Security tests verify all's tight,
Version 0.8.13 shines bright! ✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev_071

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wey-gu]

bugbot run

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 195d200. Configure here.}