M-flow Memory
Security checks across malware telemetry and agentic risk
Overview
This looks like a legitimate long-term memory skill, but its setup may expose a persistent memory API beyond the local agent and automatically stores conversation content.
Install only if you want persistent cross-session memory. Before using it with private data, restrict the MCP port to localhost or firewall it, use a dedicated LLM API key, verify the Docker image source, and learn how to delete/prune memories or run teardown.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the service is reachable from other machines or local processes, they may be able to interact with the memory server and access or alter stored conversation memories.
The setup publishes the MCP service as an HTTP/SSE server on a host port, while registering a plain localhost URL with no authentication details. Docker port publishing without an explicit 127.0.0.1 bind commonly exposes the service on host network interfaces, which is overbroad for a local memory API.
-p "$PORT:8000" \
-e "TRANSPORT_MODE=sse" \
...
mcp['mflow-memory'] = {
'url': 'http://localhost:$PORT/sse',
'transport': 'sse'
}Bind the server to 127.0.0.1 only, add authentication if supported, and firewall the port before storing sensitive memories.
Past conversation details may influence future answers, and private information may remain stored across sessions unless deleted.
The skill deliberately creates persistent memory from conversations and retrieves it automatically. This is central to the skill, but it can preserve sensitive details or reuse incorrect or maliciously planted memories later.
Before answering, silently call `search` ... At the end of a conversation ... call `save_interaction` with the conversation content.
Use this only if persistent memory is desired; avoid discussing highly sensitive information, and use delete/prune/teardown controls when memory should be removed.
The container can use the provided LLM API key, which may incur costs or expose submitted memory content to the configured LLM provider.
The setup collects an LLM API key and passes it into the Docker container. This is expected for LLM-based memory extraction, but it is still a sensitive credential.
API_KEY="${LLM_API_KEY:-}"
...
read -p "LLM API Key: " API_KEY
...
-e "LLM_API_KEY=$API_KEY"Use a dedicated limited-scope API key, monitor usage, rotate it if needed, and prefer hidden input handling for setup prompts.
You are trusting the external container image with memory data and the LLM API key.
The setup runs an external Docker image. The digest pinning reduces update drift, but the container contents are not included in the provided artifacts.
IMAGE="flowelement/m_flow-mcp:latest@sha256:ba9955bb9c9e57b40bf5619f37474357bfe00268e81514783a956de2b301bb82" ... docker pull "$IMAGE"
Verify the image source and digest against the project repository or build from source if stronger provenance is needed.
The memory service and stored data can remain active after OpenClaw restarts until explicitly stopped or removed.
The service is designed to keep running after setup and to persist its memory database in a Docker volume. This matches the long-term memory purpose, but users should be aware of the ongoing background service.
--restart unless-stopped \ ... -v "$VOLUME_NAME:/srv/mcp/m_flow/.mflow"
Use the documented teardown script or Docker commands to stop the service, and remove the volume if you no longer want stored memories retained.