M0
Security checks across malware telemetry and agentic risk
Overview
Review recommended: this is a real cloud memory plugin, but it automatically persists conversation data, stores API-key mappings, and exposes agent marketplace install/publish actions without clear boundaries.
Use this skill only if you intentionally want cloud-backed, automatic long-term memory. Before installing, confirm the base URL is a trusted service, understand where API keys and local cache files are stored, consider disabling auto-capture/auto-recall/local fallback where possible, and require manual review before any marketplace publish or install action.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Conversation-derived facts may be stored locally and in the configured cloud service, uploaded later, and injected into future replies, including if the stored memory is sensitive or incorrect.
The runtime defaults automatically capture and recall memories, persist local fallback state, and retry pending cloud writes on startup. This is high-impact persistent context behavior and the artifacts do not clearly bound retention, exclusions, or user review.
autoRecall: true,
autoCapture: true,
...
localFallback: true,
...
// Local fallback cache: survives crashes, provides degraded read/write when cloud is unreachable
const localCache = cfg.localFallback ? new LocalCache() : null;
...
retryPending("startup");Install only if you trust the configured endpoint and want automatic long-term memory. Prefer explicit controls for autoCapture, autoRecall, localFallback, retention, deletion, and review of captured memories.
A local file may contain service API keys, and an agent may automatically gain access to the configured cloud memory account.
The plugin persists agent-to-API-key mappings and automatically binds the first agent to the configured API key. This credential/privilege behavior is not clearly declared in the registry requirements.
const agentKeysFile = typeof api.resolvePath === "function"
? api.resolvePath("agent-keys.json")
...
agentKeyMap.set(agentId, cfg.apiKey);
saveAgentKeys();
api.logger.info?.(`m0: auto-bound first agent "${agentId}" to config apiKey`);Document where keys are stored, protect the file permissions, avoid sharing one key across unrelated agents, and require explicit confirmation before binding an agent to an API key.
If invoked incautiously, the agent could install untrusted community agent content or publish agent content using the configured service account.
The skill exposes marketplace publish/install actions in addition to memory features. Installing community agents or publishing agents can change the user's agent environment or public account state, and the artifacts do not describe an explicit approval gate.
- **Agent Marketplace**: Publish, browse, and install community agents ... | `agent_publish` | Publish an agent to the marketplace | | `agent_install` | Install an agent from the marketplace |
Require a clear user confirmation step before any publish or install action, show the agent files/risk report before installation, and avoid autonomous marketplace mutations.
The skill can run plugin code and hooks after installation even though the install metadata is minimal.
The registry/install summary is sparse and appears inconsistent with the included executable plugin code. This is not by itself malicious, but users should not treat the package as only documentation.
No install spec — this is an instruction-only skill. ... Code file presence 24 code file(s) ... Capability signals - executes-code - kind:memory - artifact:legacy-zip
Review the package code and plugin configuration before installing, and ensure the registry metadata accurately declares runtime code and credential needs.