← Back to Skills Marketplace
indigokarasu

Weave

by Indigo Karasu · GitHub ↗ · v2.3.0 · MIT-0
cross-platform ⚠ suspicious
248
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install ocas-weave
Description
Private provenance-backed social graph. Maintains queryable records of people, relationships, preferences, and shared experiences for recall, gifting, hostin...
Usage Guidance
This skill appears to do what it says: a private local social graph with optional sync to Google Contacts and Clay, and read-only enrichment from Chronicle. Before installing or enabling it, consider: - Self-updates & cron: README claims the skill registers a midnight cron job that pulls updates from GitHub. Ask the maintainer or platform how self-updates are performed and whether the skill will be allowed to fetch and execute code automatically. If you do not want automatic code pulls or scheduled jobs, disable or decline that behavior. - Writeback & approvals: outbound syncs to Google/Clay are disabled by default and require explicit config enablement and per-sync approval; keep those flags off if you never want external writes. - Journals & privacy: the skill writes per-run journals to ~/openclaw/journals/ocas-weave including runtime metadata; if those files are sensitive, determine retention/rotation policy or set retention.days in config. - Cross-db reads: the skill can read other skill databases (Chronicle) for enrichment — confirm you’re comfortable with that data being accessible to this skill. - Code provenance: the SKILL.md references a GitHub repo for install/update. If you plan to enable update behavior, review that GitHub repository yourself to ensure no unexpected code is fetched. If you want to proceed only after clearing the above, ask the maintainer how the self-update cron is registered (what code runs, which account, and what network calls are made) and confirm there is no silent remote execution path enabled by default.
Capability Analysis
Type: OpenClaw Skill Name: ocas-weave Version: 2.3.0 The skill implements a high-risk self-update mechanism in SKILL.md (weave.update) that downloads a tarball from GitHub and overwrites its own code directory, which constitutes a Remote Code Execution (RCE) risk. This is coupled with a persistence mechanism via a daily cron job (weave:update) that ensures the update script runs automatically. While these features are presented as version management for the 'OpenClaw Agent Suite', the combination of remote payload execution and access to sensitive contact APIs (Google Contacts OAuth and Clay API keys in skill.json) creates a significant supply chain vulnerability.
Capability Assessment
Purpose & Capability
Name/description (private provenance-backed social graph) align with the actions and resources described: an on-disk LadybugDB, Cypher queries, journaling, and optional Google Contacts/Clay connectors. The optional Google OAuth and Clay API credentials declared in skill.json match the stated sync features. Reading the Chronicle DB for enrichment is consistent with the declared functionality.
Instruction Scope
SKILL.md and the references are prescriptive and largely scoped to the stated purpose (upserts, queries, imports/exports, syncs). They explicitly require explicit per-sync approval for outbound writebacks, which is good. Concerns: README and SKILL.md assert that the skill 'registers the weave:update cron job (midnight daily) for automatic self-updates' and the header references installing from a GitHub repo — but the skill package in the registry contains no install spec and no code to perform self-updates. That mismatch means the skill may expect runtime behavior (pulling code from GitHub / scheduling updates) that isn't visible in the registry, which increases risk. Also, the skill writes detailed journals to disk (including runtime metadata) — this is expected but could leak usage/host info if journal contents are sensitive.
Install Mechanism
There is no install spec in the registry (instruction-only skill), which is low-risk. However, SKILL.md includes an 'install: openclaw skill install https://github.com/indigokarasu/weave' line and README claims auto-registration of a cron self-update. That implies code retrieval/execution from GitHub at runtime, but no such mechanism is present in the manifest files here. This inconsistency is noteworthy: a self-update mechanism would raise higher risk if it fetches and executes code from an external URL, but the registry package does not show how that would be done.
Credentials
The skill requires no environment variables by default. skill.json lists optional credentials (google_contacts_oauth and clay_api_key) that are directly relevant to the two optional sync connectors; both are marked optional (required:false). The declared filesystem read/write paths (local weave DB, staging, journals, and an elephas/chronicle.lbug read path) are consistent with the declared enrichment and storage behavior. No unrelated secrets or extraneous credentials are requested.
Persistence & Privilege
Registry flags show no elevated platform privileges (always:false) and the skill is user-invocable/autonomous invocation allowed (platform default). The README's statement that a daily cron job is registered for automatic self-updates is a persistence action that would modify system state (scheduler) and enable code to be pulled and run on a schedule — this increases the blast radius compared with an instruction-only skill. Because the package in the registry does not contain an install/update mechanism, the presence of this claimed cron behavior is a red flag that should be clarified before trust.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ocas-weave
  3. After installation, invoke the skill by name or use /ocas-weave
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.3.0
**ocas-weave 2.3.0 changelog** - Added README.md for general documentation. - Introduced references/init_pattern.md for database initialization pattern guidance. - Updated SKILL.md: - Simplified and clarified skill description and trigger phrases. - Provided clearer config.json example with updated version. - Linked to new references and improved documentation structure. - Added explicit instructions for skill updating via `weave.update`. - Detailed run completion and journaling requirements. - Improved modularity of documentation by splitting out database initialization and import/export instructions. - Minor clarifications and error fixes throughout documentation.
v2.0.0
ocas-weave 1.0.1 - Added detailed reference documentation for connectors, cross-database queries, import/export flows, and journaling: - `references/connectors.md` - `references/cross_db.md` - `references/import_export.md` - `references/journal.md` - Extended support and guidance for database interoperability and external system sync. - Improved discoverability of data import/export and journaling practices.
v1.0.0
Initial release of ocas-weave: a private, provenance-backed social graph. - Maintains deterministic, queryable records of people, relationships, preferences, and experiences. - All material facts require provenance (source, timestamp, evidence, and confidence). - Supports recall, gifting, hosting, introductions, city lookups, and serendipity connections. - Strict controls for external writeback: disabled by default and requires explicit approval. - Core commands: upsert person/relationship/preference, query graph, vCard export, graph status. - Conservative data handling: no speculative inference or profiling without evidence.
Metadata
Slug ocas-weave
Version 2.3.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Weave?

Private provenance-backed social graph. Maintains queryable records of people, relationships, preferences, and shared experiences for recall, gifting, hostin... It is an AI Agent Skill for Claude Code / OpenClaw, with 248 downloads so far.

How do I install Weave?

Run "/install ocas-weave" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Weave free?

Yes, Weave is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Weave support?

Weave is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Weave?

It is built and maintained by Indigo Karasu (@indigokarasu); the current version is v2.3.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments