Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Muninn Memory
v2.0.0Production memory for AI agents. Cloudflare-native with 99.1% LOCOMO accuracy. Knowledge graph, temporal reasoning, multi-hop retrieval. Free tier available.
⭐ 0· 79·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a production memory service (cloud and local modes) and the repository contains a full TypeScript/Node codebase consistent with that purpose. However the registry metadata claims 'instruction-only' / no required env vars while the docs and code clearly expect credentials (MUNINN_API_KEY, MUNINN_ORG) and additional tooling (ollama, Python/Torch for TurboQuant). This mismatch (metadata vs README/SKILL.md/files) is incoherent and surprising.
Instruction Scope
Runtime instructions ask you to: set MUNINN_API_KEY and MUNINN_ORG, curl a cloud API (api.muninn.au), pull embedding models with the 'ollama' CLI, run 'npm run mcp' to start a local MCP server, and optionally run a Python turboquant server. Those runtime steps create network access (calls to api.muninn.au, model downloads from Ollama) and start local servers. SKILL.md references env vars and binaries that are not declared in the registry metadata, granting the skill broader scope than advertised.
Install Mechanism
The registry shows no install spec (instruction-only), but the package includes a full package.json, package-lock.json, and many source files — i.e., this is a codeful skill that expects npm/pip installs and running servers. The README/SKILL.md instructs running npm install, npm run mcp, ollama pull, and pip installs (torch/scipy/numpy). Those steps download and install external artifacts and native libraries (PyTorch) and start processes; the absence of an explicit install spec in the registry metadata is inconsistent and raises supply-chain review needs.
Credentials
The public metadata lists no required env vars or primary credential, but SKILL.md instructs the user to export MUNINN_API_KEY and MUNINN_ORG for cloud usage and mentions BYOK for embeddings (OpenAI/Anthropic keys). Binaries such as 'ollama' and Python are required at runtime but not declared in 'required binaries'. Declaring no credentials while recommending use of a cloud API and BYOK is a disproportionate/omitted credential request and should be corrected or explicitly called out.
Persistence & Privilege
The skill does not request 'always: true' and allows user invocation. However running 'npm run mcp' will start a local server that listens for MCP requests (network-facing process) and the cloud mode encourages sending data to api.muninn.au. This behavior is coherent for a memory system but elevates the surface for data exfiltration if you point the skill at a cloud service you don't control. No evidence in the scan shows the skill auto-enabling itself across agents, but starting servers and network I/O are important to consider.
Scan Findings in Context
[base64-block] unexpected: A prompt-injection pattern (base64-block) was detected in SKILL.md pre-scan. SKILL.md content shown here does not obviously include base64 payloads; this may be a false positive or relate to truncated/omitted sections. Either way, prompt-injection artifacts in skill docs are unexpected and worth a closer look.
What to consider before installing
What to consider before installing:
- Metadata vs reality: The registry metadata claims no env vars and 'instruction-only', but the shipped files include a full Node project, package-lock, and many sources. Treat this as a codeful package, not just documentation.
- Undeclared credentials and binaries: SKILL.md asks you to export MUNINN_API_KEY and MUNINN_ORG, use 'ollama', and optionally install Python/PyTorch for TurboQuant — none of these are declared in the skill metadata. Ask the publisher to declare required env vars and binaries, and do not provide secrets until you trust the code.
- Network & servers: The skill runs a local MCP server (npm run mcp) and recommends a cloud API at api.muninn.au. Running it will open network endpoints and may transmit memories to a remote service if you configure cloud mode. If you need offline-only operation, verify and run only the local mode after auditing the code paths that perform network calls.
- Audit the code: If you plan to install, review the code paths that call external endpoints (search for fetch/xhr/http/https requests in src/ and mcp server code) and any telemetry/analytics calls. Also inspect package.json scripts and npm run mcp to see exactly what gets launched.
- Run in a sandbox first: Install and run the skill inside a disposable container or VM without secret env vars, and monitor outbound network traffic. Only provide API keys (MUNINN_API_KEY, OpenAI/Anthropic BYOK) when you have manually verified where the keys are used and whether data leaves your environment.
- License and provenance: The code claims AGPL-3.0; source and homepage are unknown. Prefer packages with clear provenance and a public repo. If you need this capability but can't verify authorship, consider alternative, well-audited memory packages.
If you want, I can:
- scan the repository for network calls and list the files/lines that contact external hosts,
- inspect package.json and npm scripts to show what 'npm run mcp' runs,
- identify where MUNINN_API_KEY or other env vars are referenced in code.
Tell me which check you'd like first.src/storage/turboquant-client.ts:38
Shell command execution detected (child_process).
src/retrieval/answer-generator.ts:11
Environment variable access combined with network send.
src/storage/embeddings.ts:18
Environment variable access combined with network send.
src/storage/index.ts:185
Environment variable access combined with network send.
src/extractors/entity-builder.js:75
File read combined with network send (possible exfiltration).
src/extractors/entity-builder.ts:42
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97arcdpz0wy60w6ay4tmf9fnh84mn5w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode