Ontology Causal Enhanced
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not clearly malicious, but it asks the agent to broadly log and analyze private activity across email, calendar, messaging, files, purchases, deployments, and system changes without sufficiently declared account access or tight user controls.
Review this skill carefully before installing. It appears designed for local knowledge-graph and causal-memory workflows, not for exfiltration, but it can read sensitive communication/calendar history through local tools and persist action logs. Only use it if you are comfortable with that memory layer, and require explicit approval for any backfill or high-impact action.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may start logging, analyzing, or influencing many unrelated actions, including sensitive business or account changes.
The skill instructs the agent to activate broadly across high-impact activities, not just when the user explicitly asks for causal analysis.
Trigger this skill on ANY high-level action, including ... file operations, API calls, notifications, reminders, purchases, deployments ... System | Config change, permission grant, integration setup
Limit invocation to explicit user requests or clearly listed low-risk domains, and require user confirmation before logging or acting on purchases, deployments, permission changes, file sharing, or public/social actions.
A model-derived recommendation could turn into an action without enough user review, especially in domains like deployments, social posts, or account configuration.
The planning workflow tells the agent to choose and execute a ranked action after estimating utility. The protected-actions list is limited and does not clearly cover all high-impact examples named elsewhere.
4. Execute best action, log prediction
Make the causal model advisory by default. Require explicit user approval before executing any external, irreversible, public, financial, account, deployment, or permission-changing action.
Installing or using the skill may let the agent read account-backed email data via existing local credentials even though no credential requirement is declared.
The script accesses Gmail data through a locally configured CLI. The registry metadata declares no primary credential, required env vars, or required binaries, so the account boundary is under-disclosed.
subprocess.run(["gog", "gmail", "list", "--sent", "--after", after_date, "--format", "json"], capture_output=True, text=True)
Declare the required account tools and credential assumptions, identify which accounts are accessed, and require user confirmation before any email/calendar/message backfill.
The agent could process private message metadata/history through existing local sessions or credentials.
The script can query WhatsApp/message history through a local CLI, which is sensitive account access not declared in the registry requirements.
subprocess.run(["wacli", "search", "--after", after_date, "--limit", "1000", "--format", "json"], capture_output=True, text=True)
Declare messaging-account access explicitly, narrow the default scope, and require the user to choose the platform, date range, and source file before processing.
Private activity metadata from emails, calendar events, messages, and other actions may persist locally and influence later agent behavior, including if the history contains incorrect or sensitive entries.
The skill encourages broad historical backfill into a persistent action log that can be reused for future causal estimates and decisions.
Don't start from zero. Parse existing logs to reconstruct past actions + outcomes. ... Store in `memory/causal/action_log.jsonl`.
Add clear retention, deletion, review, and exclusion controls. Store only minimal derived metadata, and ask the user before reusing logs across tasks.
Information saved in the ontology may be reused by other skills or future tasks.
The ontology component is intentionally a shared local memory layer. This is purpose-aligned, but shared state can carry stale, sensitive, or incorrect context into later workflows.
Skill needs shared state | Read/write ontology objects ... Cross-Skill Communication
Review saved ontology entries periodically and avoid storing secrets or unnecessary personal data.
Users may not realize extra local tools and account sessions are needed for the documented backfill workflows.
The registry metadata does not identify a source and does not declare helper binaries or credential assumptions, while the included docs and scripts reference Python, gog, and wacli usage.
Source: unknown ... Required binaries (all must exist): none ... Primary credential: none
Publish clear provenance, declare required/optional binaries, and document credential requirements in the registry metadata.