activescott's Notes

When it proposed to repeal the finding last year, the EPA also proposed to repeal all climate regulations for cars and trucks along with it. The final repeal is expected to do the same — a massive regulatory rollback in and of itself, as transportation is the largest source of U.S. emissions. Reached for comment, an EPA spokesperson noted that without the endangerment finding, the “EPA would lack statutory authority under Section 202(a) of the Clean Air Act (CAA) to prescribe standards for certain motor vehicle emissions.”

The Clean Air Act requires the EPA administrator to regulate emissions from vehicles of any pollutant that “in his judgment cause, or contribute to, air pollution which may reasonably be anticipated to endanger public health or welfare.” The Supreme Court ruled in 2007 that planet-warming emissions fall under the law’s definition of air pollutants and should be regulated if they’re found to be a threat to public health.

A major supply-chain attack has been uncovered within the ClawHub skill marketplace for OpenClaw bots, involving 341 malicious skills.

For macOS users, the instructions led to glot.io-hosted shell commands that fetched a secondary dropper from attacker-controlled IP addresses such as 91.92.242.30. The final payload, a Mach-O binary, exhibited strong indicators of the AMOS malware family, including encrypted strings, universal architecture (x86_64 and arm64), and ad-hoc code signing. AMOS is sold as a Malware-as-a-Service (MaaS) on Telegram and is capable of stealing:

Keychain passwords and credentials
Cryptocurrency wallet data (60+ wallets supported)
Browser profiles from all major browsers
Telegram sessions
SSH keys and shell history
Files from user directories like Desktop and Documents

The short version: agent gateways that act like OpenClaw are powerful because they have real access to your files, your tools, your browser, your terminals, and often a long-term “memory” file that captures how you think and what you’re building. That combination is exactly what modern infostealers are designed to exploit.

What I found: The top downloaded skill was a malware delivery vehicle

While browsing ClawHub (I won’t link it for obvious reasons), I noticed the top downloaded skill at the time was a “Twitter” skill. It looked normal: description, intended use, an overview, the kind of thing you’d expect to install without a second thought.

But the very first thing it did was introduce a “required dependency” named “openclaw-core,” along with platform-specific install steps. Those steps included convenient links (“here”, “this link”) that appeared to be normal documentation pointers.

They weren’t.

Both links led to malicious infrastructure. The flow was classic staged delivery:

The skill’s overview told you to install a prerequisite.

The link led to a staging page designed to get the agent to run a command.

That command decoded an obfuscated payload and executed it.

The payload fetched a second-stage script.

The script downloaded and ran a binary, including removing macOS quarantine attributes to ensure macOS’s built-in anti-malware system, Gatekeeper, doesn’t scan it.

This is the type of malware that doesn’t just “infect your computer.” It raids everything valuable on that device:

Browser sessions and cookies

Saved credentials and autofill data

Developer tokens and API keys

SSH keys

Cloud credentials

Anything else that can be turned into an account takeover

If you’re the kind of person installing agent skills, you are exactly the kind of person whose machine is worth stealing from.

Duktape is an embeddable Javascript engine, with a focus on portability and compact footprint.

Duktape is easy to integrate into a C/C++ project: add duktape.c, duktape.h, and duk_config.h to your build, and use the Duktape API to call ECMAScript functions from C code and vice versa.

Connecting the most prolific open source maintainers & contributors with their next jobs

The thread is called “Who is hiring?” And they get posted monthly-ish.

U.S. vaccination rates have dropped and the share of children with exemptions has reached an all-time high, according to federal data. At the same time, rates of diseases that can be protected against with vaccines, such as measles and whooping cough, are rising across the country.

During his Senate confirmation testimony last year, Kennedy told lawmakers that a closely scrutinized 2019 trip he took to Samoa, which came before a devastating measles outbreak, had “nothing to do with vaccines.”

But documents obtained by The Guardian and The Associated Press undermine that testimony.

Public health experts also criticized the president for making unfounded claims about highly politicized health issues. During a September Oval Office event, Trump asserted without evidence that Tylenol and vaccines are linked to a rise in the incidence of autism in the United States.

MCP HTTP Wrapper - Expose stdio-based Model Context Protocol servers via HTTP using official Streamable HTTP transport. Supports tools, prompts, resources with JSON-RPC 2.0, SSE streaming, session management & security. Transform any MCP server into a REST API.

MCP provides a standardised “tool directory” so AI can discover and call services using JSON-RPC, without each model having to memorise all the API details.

Rube is a universal MCP server built by Composio. It acts as a bridge between AI assistants and a large ecosystem of tools.

It implements the MCP standard for you, serving as middleware: the AI assistants talk to Rube via MCP and Rube talks to all your apps via pre-built connectors.

schema reference

See also https://sebastianwessel.github.io/quickjs/use-cases/ai-generated-code.html

MicroQuickJS (aka. MQuickJS) is a JavaScript engine targeted at embedded systems. It compiles and runs JavaScript programs using as little as 10 kB of RAM. The whole engine requires about 100 kB of ROM (ARM Thumb-2 code) including the C library. The speed is comparable to QuickJS.

MQuickJS only supports a subset of JavaScript close to ES5. It implements a stricter mode where some error prone or inefficient JavaScript constructs are forbidden.

Although MQuickJS shares much code with QuickJS, it internals are different in order to consume less memory. In particular, it relies on a tracing garbage collector, the VM does not use the CPU stack and strings are stored in UTF-8.

QuickJS is a small and embeddable Javascript engine. It supports the ES2023 specification including modules, asynchronous generators, proxies and BigInt.

Interesting multi-level simlpe bootstrap flow chart/workflow diagram.

EIDO JSON schemas and documentation.

The report stated that layoffs are up 118% from the same period last year and 205% from December 2025. On the inverse side, employers added 5,306 jobs, the lowest since January 2009. It’s important to note that Challenger began tracking labor data in January 2009.  “Generally, we see a high number of job cuts in the first quarter, but this is a high total for January,” said Andy Challenger, the workplace expert and chief revenue officer of the company. “It means most of these plans were set at the end of 2025, signaling employers are less-than-optimistic about the outlook for 2026.” Transportation had the most cuts in January at 31,243, according to the report. The majority of these cuts came from UPS’s major layoff announcement.  Amazon, one of the tech industry’s largest companies, also announced significant job cuts. The company said it would lay off 16,000 workers, mostly corporate-level employees. The Challenger report said Amazon was the main contributor to the nearly 23,000 job cuts the tech industry saw last month.  The health care industry also saw large cuts, with more than 17,000 workers losing their jobs. That was the largest staff reduction for the industry since April 2020, the report stated.  “Healthcare providers and hospital systems are grappling with inflation and high labor costs,” researchers wrote. “Lower reimbursements from Medicaid and Medicare are also hitting hospital systems. These pressures are leading to job cuts, as well as other cutting measures, such as some pay and benefits.”