Back to skill

Security audit

M-flow Memory

Security checks across malware telemetry and agentic risk

Overview

This is a real long-term memory skill, but it stores conversations automatically and installs a persistent Docker service with weak privacy, credential, and consent disclosures.

Install only if you deliberately want cross-session memory. Use a dedicated limited-scope API key, avoid storing secrets or regulated data, review the OpenClaw config change, restrict access to the Docker-exposed port, and understand how to prune memories or remove the Docker volume before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script collects an LLM API key and injects it into a third-party Docker container, which expands the skill's trust boundary beyond simple local memory storage. Even if this is functionally required for knowledge extraction, the setup does not clearly explain that the credential will be exposed to containerized code and may be used for external network calls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README clearly advertises persistent storage of conversations, preferences, and facts across sessions, but it does not explicitly warn users about privacy, retention, or the sensitivity of remembered data. In a memory skill, this omission is security-relevant because users may unknowingly enable long-term storage of sensitive personal or organizational information in a Docker volume.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to persistently store conversation content and user preferences, but it does not require any user notice, consent, retention policy, or guidance on handling sensitive data. Because this is a long-term memory skill by design, the absence of privacy warnings and controls materially increases the risk of collecting and retaining personal or confidential information unexpectedly.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup instructions start a Dockerized local service and register it with OpenClaw, expanding the system's running services and tool surface without warning the user what will be launched or what data it may process. While this is not inherently malicious, silently adding a persistent memory backend can surprise users and lead to unintended exposure of conversation data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes persistent long-term memory for conversations but does not warn users that potentially sensitive conversation content will be retained across sessions. In a memory skill, this omission is security-relevant because users may unknowingly store secrets, personal data, or regulated information in a durable store, increasing privacy and breach exposure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README requires an OpenAI API key for LLM-based knowledge extraction but does not disclose that conversation-derived content may be sent to an external third-party service for processing. In the context of a long-term memory tool handling past conversations and preferences, that missing disclosure materially increases privacy and compliance risk because users may not realize their data can leave the local environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script acquires an API key and passes it as an environment variable into the container without an explicit warning at the point of entry that the secret will be accessible inside containerized code. Secrets in container environment variables may be exposed through logs, inspection tooling, process metadata, or compromise of the image/runtime.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup script modifies the user's persistent OpenClaw configuration automatically, which changes future agent behavior and trust relationships without an approval step. Silent persistence is risky because it can register services that remain active after setup and may be difficult for users to notice or audit.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to persist meaningful conversation content, including facts, preferences, decisions, and plans, but provides no requirement for user consent, notice, retention limits, or sensitivity filtering. In a memory skill, this creates a real privacy and data-governance risk because users may disclose personal or confidential information that gets stored across sessions without clear disclosure.

Session Persistence

Medium
Category
Rogue Agent
Content
Long-term memory engine for OpenClaw agents using M-flow knowledge
  graphs. Stores conversations as structured episodic memories and
  retrieves via graph-routed search. Use when the agent needs to
  remember past conversations, recall user preferences, or maintain
  context across sessions. Requires Docker.
---
Confidence
83% confidence
Finding
maintain context across sessions

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.