ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Muninn Memory

v1.1.2

Memory layer for AI agents. Local SQLite (free) or Cloud PostgreSQL with BYOK ($10/mo). Knowledge graph, temporal reasoning, multi-hop retrieval.

0· 67·0 current·0 all-time
by@phillipneho
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (local SQLite or cloud PostgreSQL memory) matches the instructions (local Ollama embeddings or cloud BYOK). Requiring node is reasonable. However, the SKILL.md references other runtime requirements (ollama, npm, external API keys) that are not declared in the registry metadata, and claims (e.g., "100% accuracy, no LLM") are unrealistic marketing rather than technical justification.
!
Instruction Scope
SKILL.md instructs the agent/user to run commands that will fetch and run remote code (clawhub install muninn-skill; npm install; npm run mcp) and to set MUNINN_API_KEY for cloud mode. The skill package itself contains only README.md and SKILL.md (no source), so following the instructions will cause the agent/user to pull code from outside sources. The instructions also reference binaries (ollama) and environment variables (OpenAI/Anthropic keys, MUNINN_API_KEY) that are not declared in the metadata.
!
Install Mechanism
There is no install spec in the registry package (instruction-only). The runtime instructions direct the user to run clawhub install (which will presumably fetch code from an external repository) and to run npm install — both will pull external artifacts at install/run time. Because the skill package doesn't include code, you must trust the external source that clawhub will fetch; the SKILL.md points to external URLs (muninn.au, github.com/Phillipneho/muninn) but the registry metadata lacks a canonical source/verified install host.
!
Credentials
Registry metadata lists no required environment variables, yet SKILL.md references MUNINN_API_KEY and suggests using your OpenAI/Anthropic keys for BYOK; it also mentions the vendor's own keys as an option. The skill may therefore request/supply API keys at runtime that are not declared up-front. This mismatch increases risk of accidental key exposure or unexpected network auth.
Persistence & Privilege
The skill does not request always:true and has no declared config-path or system-wide modifications. Autonomous invocation (model-invocation allowed) is enabled by default but is expected. No indications that this skill will persistently modify other skills or system-wide settings.
What to consider before installing
Before installing: 1) Verify the upstream code repository and owner (follow the provided GitHub link and confirm the code matches what the skill promises). 2) Don’t export any API keys (MUNINN_API_KEY, OpenAI/Anthropic keys) until you’ve confirmed the cloud service’s privacy/billing policy and how keys are stored/transmitted. 3) Expect the install instructions to run npm install and pull external packages — inspect that code beforehand. 4) Ensure you trust the muninn.au domain and GitHub repo; if you want local-only usage, confirm that Ollama and the nomic-embed-text model are available and that local mode truly runs without sending data to the cloud. 5) Review license (AGPL-3.0) and the claim set (e.g., “100% accuracy”)—treat marketing claims skeptically. If you need higher assurance, request a published, verifiable install spec or a packaged skill that includes the actual code so you can audit it before running npm install.

Like a lobster shell, security has layers — review code before you run it.

latestvk9730yk77kp5csygnavkpc91y583e564

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments