中式智慧记忆引擎
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches a long-term memory purpose, but it persistently profiles sensitive personal, emotional, relationship, and trust data while making an unsupported encrypted-storage claim.
Install only if you are comfortable with a persistent personal memory/profile system. Verify the base mflow-memory setup script first, use a scoped API key, avoid storing secrets or highly sensitive information, and periodically inspect or delete the ~/.mflow-memory-cn data directory until stronger privacy controls are provided.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private details and sensitive inferences about you may persist across sessions and influence future answers, even if a saved item was wrong, outdated, or too sensitive.
This shows persistent local storage and later reuse of personal memories, emotional trends, promises, values, and concerns as future conversation context.
data_dir = Path.home() / ".mflow-memory-cn" / "data" ... "recent_memories": recent, "emotion_trend": ..., "pending_promises": ..., "user_values": ..., "user_concerns": ...
Use only with explicit consent and add clear controls to review, delete, expire, and mark memories as untrusted; avoid storing secrets or highly sensitive personal data.
A user may share sensitive information believing it is encrypted when the provided code appears to store it in plaintext local files.
The artifact claims sensitive information is encrypted, but the included storage implementation writes JSONL files and shows no encryption mechanism.
"敏感信息": (True, "加密存储,不主动使用")
Do not rely on the encrypted-storage claim unless the implementation adds verifiable encryption, key handling, and deletion controls.
The reviewed files do not show what the base setup script installs or changes.
The skill depends on the base mflow-memory skill and a setup script outside this artifact set, so this review cannot verify that inherited setup behavior.
extends: mflow-memory ... bash ~/.openclaw/skills/mflow-memory/scripts/setup.sh
Review and trust the base mflow-memory skill and its setup script before running the documented command.
An LLM API key can incur cost or grant access to a provider account if mishandled.
The skill asks for an LLM API key even though the registry metadata lists no required env vars; this is likely purpose-aligned but should be visible to the user.
requiredEnvVars:\n - LLM_API_KEY
Use a scoped, low-privilege API key where possible and verify where the inherited M-flow tooling sends data.