M2Wise
PassAudited by ClawScan on May 10, 2026.
Overview
M2Wise is a coherent long-term-memory skill, but installing it means the agent may persist conversation-derived personal facts and use external package/API integrations.
Install this only if you want the agent to maintain long-term memory. Review the external m2wise package before installing, configure provider API keys carefully, and establish rules for what the agent may remember and how to delete memories.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal facts, preferences, or mistaken/adversarial instructions could be stored and later influence future agent responses.
The skill intentionally creates persistent memory from conversation content even when the user has not explicitly asked to remember it, which is central to the purpose but sensitive.
Be Proactive: Don't wait for the user to explicitly say "remember this". If they state a strong preference, save it using `sdk.add_message()`.
Use this only if you want persistent memory; set clear rules for what may be saved, avoid storing secrets, and periodically review or delete stored memories.
Your environment would run code from the external package and its dependencies, which this artifact review cannot inspect.
The skill depends on an unpinned external Python package that is not included in the reviewed artifacts.
pip install m2wise[all]
Install deliberately, review the package source/provenance, and consider pinning a known version before use.
Provider credentials may be used for API calls and billing, and conversation-derived content may be processed by the configured provider.
The skill declares provider API keys for model/embedding services, which is expected for this integration but gives the package access to those accounts.
env: [OPENAI_API_KEY, M2WISE_SILICONFLOW_API_KEY]
Use scoped keys where possible, monitor provider usage, and do not configure keys unless you are comfortable with the provider data flow.
If the MCP server is exposed to the wrong agent or workspace, stored memories could be searched, changed, or deleted.
The optional MCP server exposes memory tools such as add, search, sleep, and dream over the runtime's MCP channel.
m2wise-mcp --data-dir ./data
Run the MCP server only in a trusted local/runtime context and ensure user IDs and tool access are isolated.