@kalera/munin-openclaw
AdvisoryAudited by VirusTotal on Mar 29, 2026.
Overview
Type: OpenClaw Skill Name: munin-openclaw Version: 1.0.1 The skill is a legitimate adapter for 'Munin,' a persistent memory service for AI agents. It facilitates storing and retrieving agent context via an external API (MUNIN_BASE_URL). The code in src/cli.ts and src/index.ts is a standard wrapper around the @kalera/munin-sdk, and the SKILL.md provides functional instructions for setup and E2EE usage without any signs of prompt injection or malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Facts, preferences, or other context the agent stores could persist beyond the current session and be retrieved later.
The skill discloses that memory data is sent to a configured Munin endpoint; this is expected for persistent memory, but the stored context may include sensitive or reusable agent information.
Data is sent ONLY to your `MUNIN_BASE_URL`.
Use a trusted or self-hosted MUNIN_BASE_URL, avoid storing secrets, and verify retention, deletion, and E2EE settings before storing sensitive content.
If the API key is exposed or over-scoped, someone else may be able to access or modify the associated Munin memory project.
The adapter needs a Munin endpoint and API key. This is appropriate for the integration, but the key is a credential that may allow access to stored memories depending on service-side scopes.
"env": [
"MUNIN_BASE_URL",
"MUNIN_API_KEY"
]Use a scoped, rotatable key where available; store it only in trusted agent configuration; revoke or rotate it if compromised.
The agent can use whatever Munin actions the configured endpoint exposes, including memory-changing actions if those are available.
The wrapper passes an action string and payload through to the Munin SDK. The ensureCapability flag suggests service-side capability checking, but the local adapter does not enumerate allowed actions.
client.invoke(projectId, action as any, payload, { ensureCapability: true })Review the Munin project capabilities and consider requiring user confirmation for bulk changes, deletion, or other high-impact memory operations.
A connected agent or MCP client may be able to call Munin memory tools through this server.
The CLI can start an MCP server, creating an agent/tool communication boundary implemented by the Munin runtime dependency.
if (args.length === 0 || args[0] === 'mcp') {
await startMcpServer();
return;
}Run it only in trusted agent environments and restrict MCP client access to callers you intend to use the memory service.
The visible adapter is small and clean, but the provided artifacts do not fully show how the SDK/runtime handle credentials, encryption, endpoint access, or MCP serving.
Core network, credential-loading, retry, and MCP behavior is delegated to dependencies whose source is not included in the provided artifact text and which are referenced with workspace specifiers.
"@kalera/munin-sdk": "workspace:*",
"@kalera/munin-runtime": "workspace:*"Install from a trusted package source, inspect or pin the resolved dependency versions, and verify the SDK/runtime behavior if storing sensitive memories.