Back to skill

Security audit

MuninnDB Auto Memory

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local MuninnDB memory helper, but users should understand it can persist context automatically and optionally run a background snapshot job.

Install this only if you want cross-session memory. Protect ~/.muninn/openclaw.key, avoid saving secrets or regulated data, review/prune the MuninnDB vault periodically, and enable the 30-minute cron snapshot only if you are comfortable storing local workspace and recent-session metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs use of shell-capable behavior and curl-based API access, but declares no permissions. That creates a transparency and policy-enforcement gap: a user or host framework may assume the skill is passive while it can read local files and perform network requests. In this context, hidden shell capability increases risk because the skill also accesses a bearer token and supports autonomous persistence behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The description frames the skill as an automatic memory layer, but the documented behavior is materially broader: cron-driven host snapshots, collection of working directory and session metadata, token-file reads, and direct REST calls. This mismatch can mislead users and security controls about what data is collected and when, undermining informed consent and review. The broader-than-advertised scope makes the skill more dangerous than a normal memory helper.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The cron-based snapshot feature goes beyond recalling and storing user-approved memory items; it periodically collects host/session context without a clear per-run user action. Periodic autonomous collection increases privacy risk and can capture sensitive operational metadata such as workspace location and recent activity patterns. In a memory skill, that context expansion is not necessary and raises the chance of overcollection.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The documented fallback reads a local API key file directly, which broadens the skill from memory assistance into credential-handling behavior. Even though the endpoint is local, instructing direct token access without stronger safeguards increases exposure if the skill is misused, modified, or combined with other shell actions. The risk is lower than remote exfiltration by itself, but still meaningful because it normalizes secret access inside an auto-triggered skill.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The documentation instructs users to create a recurring cron job that automatically snapshots local context, including working directory and recent Hermes sessions, into persistent storage. That creates continuous background collection of potentially sensitive operational data beyond what is necessary for basic MCP memory connectivity, increasing privacy and data-leak risk if the database is later queried by other tools, users, or compromised components.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The cron script collects host metadata, current working directory, timestamps, and recent session information without a clear necessity tied to the stated goal of using MuninnDB as a memory layer. This broad collection increases the chance of unintentionally storing sensitive project names, client identifiers, or conversational context that can expose user activity patterns.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script periodically collects local working-directory and recent session information, then persists it to an external service as a background cron task. This exceeds a narrow 'memory layer' function and creates continuous covert-style inventorying of potentially sensitive operator context without clear user consent or minimization.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Reading `pwd`, hostname, and `hermes sessions list --limit 3` exposes local operational context that may include project names, customer identifiers, task history, or other sensitive metadata. Because this collection is not obviously required for automatic MuninnDB loading, it broadens data access beyond stated purpose and increases privacy and security risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction to use MuninnDB automatically as the primary memory layer and 'always load' it leaves trigger scope undefined and broad. Ambiguous auto-activation can cause the skill to persist or retrieve data in contexts where the user did not expect memory operations, increasing privacy and accidental data-retention risk. Because the skill also encourages proactive saving during sessions, unclear scope is especially dangerous here.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill directs automatic storage of preferences, decisions, project context, fixes, and summaries, but does not clearly warn the user that session data will be persisted across sessions. This creates a consent and privacy problem: users may reveal sensitive information believing it is transient when it is actually being stored. In a memory system, silent persistence materially increases the harm from accidental disclosure and over-retention.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The fallback API guidance uses a local bearer token but does not include a strong warning that the skill accesses a credential and sends authenticated requests. Users and reviewers may not realize that enabling fallback implies secret handling and authenticated data transmission. In an auto-memory skill, undisclosed credential use compounds trust and auditability concerns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented snapshot mechanism transmits context data on a schedule without a prominent warning that user/session information is being captured and persisted. Silent background operation makes this more dangerous because users may not realize ongoing collection is happening, reducing informed consent and increasing the chance of sensitive data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits host context and recent session data over plain HTTP to a local service, with no user-facing disclosure and no transport security. Even on localhost, plaintext transport and silent background execution increase the risk of unintended disclosure through local interception, misbinding to non-local interfaces, logging, or service compromise.

Ssd 3

Medium
Confidence
97% confidence
Finding
The script explicitly stores recent session data and the current working directory in plain language inside persistent memory records. Those fields can reveal confidential prompts, project names, repository paths, customer identifiers, or other sensitive context that may later be exposed through search, logs, backups, or unauthorized database access.

External Transmission

Medium
Category
Data Exfiltration
Content
MUNINN_TOKEN=$(cat ~/.muninn/openclaw.key)

# Speichern
curl -s -X POST "$MUNINN_URL/api/engrams" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $MUNINN_TOKEN" \
  -d '{"concept":"kurzer-titel","content":"vollstaendiger text","vault":"hermes"}'
Confidence
90% confidence
Finding
curl -s -X POST "$MUNINN_URL/api/engrams" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $MUNINN_TOKEN" \ -d '{"concept":"kurzer-titel","content":"vollstaendiger text","vault"

External Transmission

Medium
Category
Data Exfiltration
Content
Letzte Sessions: $RECENT_SESSIONS"

# In MuninnDB speichern
RESULT=$(curl -s -X POST "$MUNINN_URL/api/engrams" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $MUNINN_TOKEN" \
  -d "$(jq -n --arg c "cron-snapshot-$HOSTNAME" --arg x "$SUMMARY" \
Confidence
88% confidence
Finding
curl -s -X POST "$MUNINN_URL/api/engrams" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $MUNINN_TOKEN" \ -d

Session Persistence

Medium
Category
Rogue Agent
Content
# Vault: hermes
# Silent bei Erfolg, Error-Output bei Fehlschlag
# ==========================================
# Installiert via: cronjob action=create \
#   name="MuninnDB Memory Snapshot" \
#   schedule="every 30m" \
#   script=muninndb-memory-snapshot.sh \
Confidence
89% confidence
Finding
create \ # name="MuninnDB Memory Snapshot" \ # schedule="every 30m" \ # script=muninndb-memory-snapshot.sh \ # no_agent=true \ # workdir="/Users/bits" # =====================================

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.