activescott's Notes

Official MCP Registry (modelcontextprotocol.io)

This repository is a collection of reference implementations for the Model Context Protocol (MCP), as well as references to community-built servers and additional resources.

A federal grand jury in Washington, D.C., declined a request by prosecutors to indict two Democratic U.S. senators, Mark Kelly of Arizona and Michigan’s Elissa Slotkin, on charges of seditious conspiracy

The attempted indictment of Kelly, a former U.S. Navy captain and the former CIA analyst Slotkin related to a video in November that they made with four other Democrats in Congress, on which they reminded members of the U.S. military that they have the right to refuse to follow illegal orders by superiors.

It is extremely unusual for a grand jury to refuse to issue an indictment when a prosecutor seeks one. An indictment is a charging document that a grand jury will issue if jurors agree there is probable cause to believe a crime was committed.

Trump at the time accused them of “SEDITIOUS BEHAVIOR, punishable by DEATH!”

“Each one of these traitors to our Country should be ARRESTED AND PUT ON TRIAL,” Trump wrote on Truth Social then.

Quick and simple way to generate and validate cron expressions.

The historian and moralist, who was otherwise known simply as Lord Acton, expressed this opinion in a letter to Bishop Mandell Creighton in 1887:

“Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men.”

I've been wondering myself lately: Is AI working for us, or are we working for AI?

What they found across more than 40 “in-depth” interviews was that nobody was pressured at this company. Nobody was told to hit new targets. People just started doing more because the tools made more feel doable. But because they could do these things, work began bleeding into lunch breaks and late evenings. The employees’ to-do lists expanded to fill every hour that AI freed up, and then kept going.

As one engineer told them, “You had thought that maybe, oh, because you could be more productive with AI, then you save some time, you can work less. But then really, you don’t work less. You just work the same amount or even more.”

Over on the tech industry forum Hacker News, one commenter had the same reaction, writing, “I feel this. Since my team has jumped into an AI everything working style, expectations have tripled, stress has tripled and actual productivity has only gone up by maybe 10%. It feels like leadership is putting immense pressure on everyone to prove their investment in AI is worth it and we all feel the pressure to try to show them it is while actually having to work longer hours to do so.”

The researchers’ new findings aren’t entirely novel. A separate trial last summer found experienced developers using AI tools took 19% longer on tasks while believing they were 20% faster. Around the same time, a National Bureau of Economic Research study tracking AI adoption across thousands of workplaces found that productivity gains amounted to just 3% in time savings, with no significant impact on earnings or hours worked in any occupation. Both studies have gotten picked apart.

When it proposed to repeal the finding last year, the EPA also proposed to repeal all climate regulations for cars and trucks along with it. The final repeal is expected to do the same — a massive regulatory rollback in and of itself, as transportation is the largest source of U.S. emissions. Reached for comment, an EPA spokesperson noted that without the endangerment finding, the “EPA would lack statutory authority under Section 202(a) of the Clean Air Act (CAA) to prescribe standards for certain motor vehicle emissions.”

The Clean Air Act requires the EPA administrator to regulate emissions from vehicles of any pollutant that “in his judgment cause, or contribute to, air pollution which may reasonably be anticipated to endanger public health or welfare.” The Supreme Court ruled in 2007 that planet-warming emissions fall under the law’s definition of air pollutants and should be regulated if they’re found to be a threat to public health.

A major supply-chain attack has been uncovered within the ClawHub skill marketplace for OpenClaw bots, involving 341 malicious skills.

For macOS users, the instructions led to glot.io-hosted shell commands that fetched a secondary dropper from attacker-controlled IP addresses such as 91.92.242.30. The final payload, a Mach-O binary, exhibited strong indicators of the AMOS malware family, including encrypted strings, universal architecture (x86_64 and arm64), and ad-hoc code signing. AMOS is sold as a Malware-as-a-Service (MaaS) on Telegram and is capable of stealing:

Keychain passwords and credentials
Cryptocurrency wallet data (60+ wallets supported)
Browser profiles from all major browsers
Telegram sessions
SSH keys and shell history
Files from user directories like Desktop and Documents

The short version: agent gateways that act like OpenClaw are powerful because they have real access to your files, your tools, your browser, your terminals, and often a long-term “memory” file that captures how you think and what you’re building. That combination is exactly what modern infostealers are designed to exploit.

What I found: The top downloaded skill was a malware delivery vehicle

While browsing ClawHub (I won’t link it for obvious reasons), I noticed the top downloaded skill at the time was a “Twitter” skill. It looked normal: description, intended use, an overview, the kind of thing you’d expect to install without a second thought.

But the very first thing it did was introduce a “required dependency” named “openclaw-core,” along with platform-specific install steps. Those steps included convenient links (“here”, “this link”) that appeared to be normal documentation pointers.

They weren’t.

Both links led to malicious infrastructure. The flow was classic staged delivery:

The skill’s overview told you to install a prerequisite.

The link led to a staging page designed to get the agent to run a command.

That command decoded an obfuscated payload and executed it.

The payload fetched a second-stage script.

The script downloaded and ran a binary, including removing macOS quarantine attributes to ensure macOS’s built-in anti-malware system, Gatekeeper, doesn’t scan it.

This is the type of malware that doesn’t just “infect your computer.” It raids everything valuable on that device:

Browser sessions and cookies

Saved credentials and autofill data

Developer tokens and API keys

SSH keys

Cloud credentials

Anything else that can be turned into an account takeover

If you’re the kind of person installing agent skills, you are exactly the kind of person whose machine is worth stealing from.

Duktape is an embeddable Javascript engine, with a focus on portability and compact footprint.

Duktape is easy to integrate into a C/C++ project: add duktape.c, duktape.h, and duk_config.h to your build, and use the Duktape API to call ECMAScript functions from C code and vice versa.

Connecting the most prolific open source maintainers & contributors with their next jobs

The thread is called “Who is hiring?” And they get posted monthly-ish.

U.S. vaccination rates have dropped and the share of children with exemptions has reached an all-time high, according to federal data. At the same time, rates of diseases that can be protected against with vaccines, such as measles and whooping cough, are rising across the country.

During his Senate confirmation testimony last year, Kennedy told lawmakers that a closely scrutinized 2019 trip he took to Samoa, which came before a devastating measles outbreak, had “nothing to do with vaccines.”

But documents obtained by The Guardian and The Associated Press undermine that testimony.

Public health experts also criticized the president for making unfounded claims about highly politicized health issues. During a September Oval Office event, Trump asserted without evidence that Tylenol and vaccines are linked to a rise in the incidence of autism in the United States.

MCP HTTP Wrapper - Expose stdio-based Model Context Protocol servers via HTTP using official Streamable HTTP transport. Supports tools, prompts, resources with JSON-RPC 2.0, SSE streaming, session management & security. Transform any MCP server into a REST API.

MCP provides a standardised “tool directory” so AI can discover and call services using JSON-RPC, without each model having to memorise all the API details.

Rube is a universal MCP server built by Composio. It acts as a bridge between AI assistants and a large ecosystem of tools.

It implements the MCP standard for you, serving as middleware: the AI assistants talk to Rube via MCP and Rube talks to all your apps via pre-built connectors.

schema reference