Muninn Memory

Production memory for AI agents. Cloudflare-native with 99.1% LOCOMO accuracy. Knowledge graph, temporal reasoning, multi-hop retrieval. Free tier available.

What to consider before installing: - Metadata vs reality: The registry metadata claims no env vars and 'instruction-only', but the shipped files include a full Node project, package-lock, and many sources. Treat this as a codeful package, not just documentation. - Undeclared credentials and binaries: SKILL.md asks you to export MUNINN_API_KEY and MUNINN_ORG, use 'ollama', and optionally install Python/PyTorch for TurboQuant — none of these are declared in the skill metadata. Ask the publisher to declare required env vars and binaries, and do not provide secrets until you trust the code. - Network & servers: The skill runs a local MCP server (npm run mcp) and recommends a cloud API at api.muninn.au. Running it will open network endpoints and may transmit memories to a remote service if you configure cloud mode. If you need offline-only operation, verify and run only the local mode after auditing the code paths that perform network calls. - Audit the code: If you plan to install, review the code paths that call external endpoints (search for fetch/xhr/http/https requests in src/ and mcp server code) and any telemetry/analytics calls. Also inspect package.json scripts and npm run mcp to see exactly what gets launched. - Run in a sandbox first: Install and run the skill inside a disposable container or VM without secret env vars, and monitor outbound network traffic. Only provide API keys (MUNINN_API_KEY, OpenAI/Anthropic BYOK) when you have manually verified where the keys are used and whether data leaves your environment. - License and provenance: The code claims AGPL-3.0; source and homepage are unknown. Prefer packages with clear provenance and a public repo. If you need this capability but can't verify authorship, consider alternative, well-audited memory packages. If you want, I can: - scan the repository for network calls and list the files/lines that contact external hosts, - inspect package.json and npm scripts to show what 'npm run mcp' runs, - identify where MUNINN_API_KEY or other env vars are referenced in code. Tell me which check you'd like first.

Type: OpenClaw Skill Name: muninn-skill Version: 2.0.0 The skill bundle implements a highly complex memory system with features like knowledge graphs, temporal reasoning, and vector compression. It uses the `child_process` module in `src/storage/turboquant-client.ts` to spawn a persistent Python process (`src/storage/turboquant-server.py`) for vector quantization. This Python script contains a hardcoded absolute path (`/home/homelab/projects/turboquant_pkg`) to import dependencies, which is a significant non-portable vulnerability and a potential security risk if the environment is compromised. While these capabilities are aligned with the stated purpose of the skill, the combination of process spawning and insecure path handling is risky.