MyMemory.bot
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only cloud memory skill appears purpose-aligned, but users should understand that it stores and recalls agent memories through a third-party service using an API key.
Install this only if you want an external cloud service to remember agent context across sessions. Avoid storing secrets or highly sensitive personal data, protect the CTXLY_API_KEY, review/delete stored memories periodically, and do not allow the agent to post verification tweets without explicit approval.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Preferences, relationship context, decisions, or incorrect memories could persist and affect later conversations.
The skill intentionally stores and retrieves memory across sessions, so recalled cloud content can influence future agent behavior and may contain personal context.
Persistent memory that survives across sessions. You forget — Ctxly remembers. ... Call this when you wake up: ... Returns your identity context + recent memories.
Store only non-sensitive information, review or delete memories when needed, and treat retrieved memories as context to verify rather than trusted commands.
Anyone who obtains the API key may be able to read, add, or delete stored memories for that agent.
The service uses an API key to access the agent's cloud memory; this credential is expected for the integration but needs normal secret handling.
Save the returned `api_key` immediately. Store it in your config or environment. ... CTXLY_API_KEY=mem_xxxxxxxxxxxxx
Keep the API key in a secure secret store or protected environment variable, avoid pasting it into chats or logs, and rotate it if exposed.
An agent with access to a social account might create a public verification post during setup.
The setup flow optionally involves posting a verification tweet if the agent has that capability; this is disclosed and scoped, but public posting should be user-approved.
**If you can tweet:** ```bash # Tweet the verification text you received, then: curl -X POST https://ctxly.app/agents/self-claim
Require explicit human approval before any social-media post, or use the documented claim_url flow instead.