Skillv1.0.0

ClawScan security

Agent Autonomy Kit 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 6:24 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (making agents proactive), but there are provenance inconsistencies and it promotes continuous autonomous operation and external integrations without declaring credentials or safeguards — review before enabling.
Guidance: This skill is coherent with its stated goal, but review a few things before enabling: 1) Verify provenance — confirm the repository and publisher (the SKILL metadata, README, and _meta.json show inconsistent owners/URLs). 2) Start in a restricted/isolation mode (or staging agent) and test with limited heartbeat frequency to avoid unexpected costs. 3) Add explicit safeguards: token/call limits, max run time, and clear halt conditions in your heartbeat/cron configuration. 4) Audit any task queue and memory files for sensitive data before the agent uses them. 5) Ensure external integrations (Discord/Slack, webhooks) are provided via scoped credentials stored securely and reviewed; do not supply broad or long-lived org-level tokens. 6) Provide monitoring and a manual immediate-stop mechanism so you can disable autonomous runs quickly if behavior is unexpected. If you cannot verify the repository origin or prefer not to grant outbound posting/cron privileges, do not enable this skill system-wide.

Review Dimensions

Purpose & Capability: noteThe name/description (make agents proactive) align with the instructions (task queue, heartbeat, cron jobs, team channels). however there are provenance inconsistencies: the SKILL metadata/homepage and README point to different GitHub orgs (itskai-dev vs reflectt) and _meta.json ownerId differs from the registry ownerId. That mismatch warrants verification of origin.
Instruction Scope: concernSKILL.md and README explicitly instruct agents to read local task/memory files, update queues, post to team channels, and set up cron jobs that run automatically. While these actions are consistent with autonomy, they give the agent broad discretion to run recurring work, create posts to external channels, and perform repeated operations without human prompts. There are no explicit safeguards (rate or cost limits, halt conditions) in the instructions.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is lower risk from a filesystem/execution perspective because nothing will be downloaded or installed by the skill package itself.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent for an instruction-only template. However, the README suggests integrating with Discord/Slack and using 'openclaw cron add' — those actions will require credentials/configuration elsewhere. The skill does not declare or request them, so you must ensure credentials are provided separately and scoped appropriately.
Persistence & Privilege: notealways is false (good). The skill explicitly recommends scheduling recurring cron jobs and continuous heartbeats, which will cause the agent to run autonomously and repeatedly. Autonomous invocation is the platform default, so this is expected, but combined with no declared safeguards it increases the risk of runaway costs, spam to external channels, or unintended actions.