ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ActingWeb Memory

v1.0.0

Stores and retrieves personal preferences, decisions, and context across conversations using ActingWeb Personal AI Memory via MCP. Activates when the user me...

0· 312·0 current·0 all-time
byGreger Teigre Wedel@gregertw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim a persistent personal memory integration via an ActingWeb MCP server; the agent manifest and SKILL.md consistently reference an MCP at https://ai.actingweb.io/mcp and provide memory tool calls (search, save, get, etc.). Nothing requested by the skill (no unrelated env vars or config paths) conflicts with this purpose.
Instruction Scope
SKILL.md limits runtime behavior to searching, saving, updating, deleting, and using context builder/remote actions via the declared MCP tools. It instructs searching before replying and to confirm destructive actions; it does not instruct reading unrelated local files, exfiltrating arbitrary data, or calling third-party endpoints outside the ActingWeb domain.
Install Mechanism
The skill is instruction-only with no package install spec. It includes a helper script (scripts/manual-oauth.sh) to perform a PKCE OAuth flow against ai.actingweb.io and write tokens to mcporter's vault (~/.mcporter/credentials.json). This is expected for headless OAuth but requires local tools (curl, python3, node, openssl, mcporter) and will write credentials to disk — review the script before running.
Credentials
The skill declares no required environment variables and only needs user OAuth tokens for the ActingWeb MCP (as described). The script and docs request authentication to the stated ActingWeb endpoint; there are no requests for unrelated service credentials or broad system secrets.
Persistence & Privilege
always:false (not force-installed). The manifest allows implicit invocation (allow_implicit_invocation: true) which is normal for skills — however, because this skill accesses long-term personal memory, autonomous invocation is sensitive: consider whether you want the assistant to consult or modify memory without an explicit user prompt.
Assessment
This skill appears to do exactly what it says: talk to an ActingWeb MCP server to read and write long-term memories. Before installing, confirm you trust the MCP endpoint (https://ai.actingweb.io/mcp). If you will run the manual OAuth helper: (1) inspect scripts/manual-oauth.sh yourself — it registers a dynamic OAuth client and writes access/refresh tokens (and client info) into ~/.mcporter/credentials.json; (2) be prepared to install mcporter and the local tools the script requires (curl, python3, node, openssl); (3) understand that the assistant may be allowed to consult shared memories and remote actions — ask how shared categories/connections are restricted in your dashboard. If you do not want the assistant to access or update long-term memory autonomously, do not enable implicit invocation or avoid installing the MCP credentials.

Like a lobster shell, security has layers — review code before you run it.

actingwebvk9740as4bbksyr99wr6xb1qnxd8250bklatestvk9740as4bbksyr99wr6xb1qnxd8250bkmcpvk9740as4bbksyr99wr6xb1qnxd8250bkmemoryvk9740as4bbksyr99wr6xb1qnxd8250bkpersonal-aivk9740as4bbksyr99wr6xb1qnxd8250bk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments