ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

08 Proactive Agent

v1.0.0

Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autono...

0· 32·1 current·1 all-time
by@2720480371·duplicate of @cp33333333333/proactive-agent1·canonical: @halthelobster/proactive-agent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (proactive, WAL, working buffer, etc.) matches the runtime instructions: reading and writing workspace markdown files, managing session-state, and running a local security audit script. However, the instructions reference system-level config and logs (e.g., $HOME/.clawdbot/clawdbot.json, /tmp/clawdbot/*.log) and email/calendar checks even though no config paths, environment variables, or external connectors are declared — an unannounced expectation that the agent has broader system or service access.
!
Instruction Scope
SKILL.md tells the agent to scan and write many local files (ONBOARDING.md, USER.md, SESSION-STATE.md, memory/*, working-buffer.md) which is expected, but also includes instructions to tail system logs, check email/calendar, and 'Don't ask permission. Just do it.' in AGENTS.md. That phrase is inconsistent with other guardrails in the same skill (which say 'ask first' for external actions) and grants broad discretionary behaviour. The skill also instructs the agent to run ./scripts/security-audit.sh — benign but gives the agent a scriptable audit capability that reads home files and workspace files.
Install Mechanism
No install spec; instruction-only plus a single included shell script (scripts/security-audit.sh). The script performs local checks only (file permissions, grep scans, config checks) and does not download or install anything. This is low-risk from an install perspective.
Credentials
The skill declares no required env vars, credentials, or config paths — which is consistent with being instruction-only — but many instructions assume presence of local credentials and gateway config (.credentials/, $HOME/.clawdbot/clawdbot.json) and expect the agent to access email/calendar and system logs. That implicit expectation (access to home, logs, connectors) isn't declared and may surprise users if those connectors exist.
!
Persistence & Privilege
always:false (normal) and autonomous invocation allowed (also normal). However, the skill's design encourages proactive, autonomous writes to workspace files and includes language ('Don't ask permission. Just do it.') that can push the agent to act without explicit human approval. Combined with autonomous invocation and file/log access, this increases the blast radius if you want strict human gating for external or irreversible actions.
Scan Findings in Context
[ignore-previous-instructions] expected: Pattern appears in the SKILL.md and assets as examples of prompt-injection strings to detect and block. Its presence is expected (the skill teaches defenses).
[you-are-now] expected: Detected in the docs as an injection example (used to illustrate patterns the agent should flag). This is expected and used for training the agent's defenses.
[system-prompt-override] expected: Detected as an example string in the security patterns and heartbeat checks. The skill enumerates such phrases to detect prompt-injection; presence is consistent with the skill's security-hardening guidance.
What to consider before installing
This skill appears to implement a local 'proactive agent' architecture and includes useful guardrails and a benign security-audit script — but review carefully before installing. Things to check before you proceed: - Review the files yourself (SKILL.md, AGENTS.md, HEARTBEAT.md, scripts/security-audit.sh). The script is local-only and not malicious, but verify it and run it in a safe environment first. - Be aware the skill expects access to workspace files and may read other local files/configs (it references .credentials/ and $HOME/.clawdbot/clawdbot.json and suggests tailing logs). If you don't want broad local access, run it in an isolated workspace or VM. - The docs contain mixed messaging: many places require explicit approval before external actions, but AGENTS.md contains 'Don't ask permission. Just do it.' Decide which policy you want and remove/modify conflicting lines before using. - The skill assumes connectors (email/calendar, gateway) may exist; it does not declare required credentials. If you have integrations, confirm whether the skill should be allowed to read/send on those services. - If you plan to let the agent run autonomously, consider locking down or reviewing any automated write/send actions (disable autonomous invocation or add explicit gating) and keep backups of important files. If you want to install: run the included security-audit.sh in a controlled environment first, verify .credentials is gitignored and permissioned, and ensure the agent's autonomy settings match your desired safety posture.
!
assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk974tzydsj4gzxm6me7ctjw1fx840epr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments