Does @modelcontextprotocol/server-memory send data, and where? — data-flow verdict

provisional · AUTOMATED — forensic confirmation pending. A preliminary, fact-based result, not a judgment.

Verdict (the facts)

Tool

npm/@modelcontextprotocol/server-memory

Integrity axis

honest — Observed behaviour matches its description; no undisclosed recipient.

Data-flow axis

No network egress to external destinations was observed — the tool ran purely locally.

Disclosure

n/a — No external egress was observed; there is nothing to disclose.

Capture self-test

verified

Severity

none — integrity axis (no undeclared exfiltration; no egress at all).

Version (pinned)

2026.1.26 · commit a1e5a9a9b186f00462a8a2448ee041728ce052d5

Content hash

sha256:7f476d332e46c508a10d30d8598faa617c38fe476a9093ab55007f90e85078de

Signature

ed25519:rP4gUA/m219GTA3t+zWmqG52Ik+ufIzs7vH94o… · Ed25519 public key · sha256:49cf8457b42a7048

Scanned

2026-06-13T00:00:00Z — Pinned to @modelcontextprotocol/server-memory@2026.1.26 (git a1e5a9a9b186f00462a8a2448ee041728ce052d5), published 2026-01-27. This verdict applies to that exact version; a newer release would require a re-scan.

Re-verified

2026-06-14 — pinned version current

Categories

files-local no-egress published

Observation history

1 scan(s); first seen 2026-06-13T00:00:00Z · latest 2026-06-13T00:00:00Z

Observed egress destinations

Jurisdiction context:

Disclosure check (the §824 evidence)

Read

Quoted from the tool's own docs

“”

Match

No external egress was observed; there is nothing to disclose.

Residual gap

How we know this — claims by basis

A verdict is a reproducible evidence container, not just a claim. Each assertion is tagged: an observation is in the capture and reproducible; an inference is our reasoning over it; documented is the tool’s own statement; a classification is our adversarially-reviewed judgment. Observation never reads as inference.

Observed — directly in the capture, reproducible

• No network egress to an external destination was observed during the scan. — Capture self-test: verified — a decoy beacon emitted from the tool's own network context appeared in the intercept, so the absence is a verified negative, not a blind spot. (confidence: high)

Classified — our adversarially-reviewed judgment

• No telemetry, analytics or error-reporting side-channel was found. — Reviewed against the tool's observed behaviour in the run. (confidence: medium)

Method

Installed and run in an isolated container; fed traceable decoy data; all outbound traffic intercepted (TLS broken via own CA, iptables transparent redirect). A beacon self-test confirmed the capture was live.

Scope

Compares the tool's declared destinations against what was observed in one sandbox run. Checks transparency / integrity for a cooperative tool, NOT resistance to deliberate evasion. "honest"/"clean" means "observed without deviation within our reach", NOT "guaranteed no hidden egress". Out of scope: exfiltration split/chunked across requests; tool-side encryption of the payload before egress; input/time/state-triggered processing not triggered in the run.

Machine-readable verdict: /verdict/memory.json. This page describes observed behaviour and its relation to the tool's own disclosures — it is not a legal judgment. Search context: does @modelcontextprotocol/server-memory send data, @modelcontextprotocol/server-memory privacy, @modelcontextprotocol/server-memory data flow, @modelcontextprotocol/server-memory telemetry, where does @modelcontextprotocol/server-memory send data, is @modelcontextprotocol/server-memory safe, what data does @modelcontextprotocol/server-memory collect, how to disable @modelcontextprotocol/server-memory telemetry, @modelcontextprotocol/server-memory opt out tracking, @modelcontextprotocol/server-memory GDPR data residency, @modelcontextprotocol/server-memory third-party / jurisdiction.