ClawHub
Back to skill
v1.0.0

MyMemory.bot

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:13 AM.

Analysis

This cloud memory skill is mostly aligned with its purpose, but it asks a tweet-capable agent to post a public verification tweet and stores persistent cloud memories, so it should be reviewed before use.

GuidanceBefore installing, decide whether you are comfortable with a third-party cloud memory service holding persistent agent context. Protect the CTXLY_API_KEY, avoid storing secrets or sensitive personal data, review and delete memories as needed, and require human approval or use the manual claim URL for any X/Twitter verification step.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
**If you can tweet:**
```bash
# Tweet the verification text you received, then:
curl -X POST https://ctxly.app/agents/self-claim ... -d '{"x_handle": "@yourhandle"}'

This directs a tweet-capable agent to publish verification text and bind an X handle, but it does not say to obtain explicit human approval before posting publicly.

User impactAn agent with access to a social-media posting tool could create a public tweet from an account during setup.
RecommendationRequire explicit human approval for any tweet, or use the manual claim URL path instead of allowing the agent to post publicly.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Save the returned `api_key` immediately. Store it in your config or environment.
...
CTXLY_API_KEY=mem_xxxxxxxxxxxxx

The skill uses a bearer API key that can access the cloud memory service; this is purpose-aligned, but the registry metadata does not declare a primary credential or required environment variable.

User impactAnyone with the API key could potentially read, write, or delete the associated cloud memories.
RecommendationTreat CTXLY_API_KEY as a secret, store it securely, rotate it if exposed, and ensure only trusted agents can access it.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
Persistent memory that survives across sessions. You forget — Ctxly remembers.
...
### Bootstrap on Startup

Call this when you wake up:

The skill intentionally stores and retrieves persistent context across sessions, including startup context, which can affect future agent behavior.

User impactStored memories may contain personal context and may shape later responses; stale or incorrect memories could be reused across sessions.
RecommendationStore only intended non-secret context, review memories periodically, and delete incorrect or sensitive entries.