alexey-proactive-agent
v1.0.0Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autono...
⭐ 0· 280·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (proactive, WAL, working buffer, heartbeats) aligns with the included assets and SKILL.md: the package is an architecture + operational playbook that instructs the agent to read/write workspace files, maintain memory files, run heartbeats, and run a local security-audit script. The presence of a security-audit script and many documentation assets is coherent with the stated purpose. Minor note: instructions reference $HOME/.clawdbot/clawdbot.json and /tmp/clawdbot/*.log which reach outside the immediate workspace; that is plausible for an agent but broadens the skill's footprint.
Instruction Scope
SKILL.md and assets explicitly instruct the agent to scan every message, create/update multiple files (SESSION-STATE.md, working-buffer.md, USER.md, SOUL.md, MEMORY.md), run heartbeats, perform log inspection, and execute the included ./scripts/security-audit.sh. Most of that fits a proactive agent, but there are contradictory statements about autonomy (examples: AGENTS.md says 'Don't ask permission. Just do it.'; SOUL.md and other files contain 'Ask forgiveness, not permission' vs repeated guardrails 'Nothing external without approval' and 'Confirm before deleting'). Those contradictions could lead to the agent taking local actions (file writes, process management, closing apps, spawning research agents) without consistent gating. The SKILL.md includes prompt-injection detection examples (the pre-scan patterns) — expected for a security-hardened agent, but the file gives the agent broad discretion to 'try 5–10 methods' and 'spawn research agents', which increases scope and risk if not human-gated.
Install Mechanism
Instruction-only skill with no install spec; no downloads or package installs are requested. This is the lowest-risk install model. The only executable is a small local shell script (security-audit.sh) included in the repo — you must still audit that script before running, but there is no external install mechanism pulling remote code.
Credentials
The skill declares no required env vars or credentials. It documents a .credentials directory and the security-audit.sh checks for .credentials and .gitignore entries; that is proportionate to a memory/agent management skill. However, the skill reads or suggests reading home-level config (~/.clawdbot/clawdbot.json) and logs (/tmp/clawdbot/*.log), which are outside the workspace and could expose broader system state. The script also scans local markdown/config files for 'possible secrets' — reasonable for an audit, but it accesses multiple file locations. No explicit requests for cloud keys or external tokens are present.
Persistence & Privilege
The skill is not always:true and does not request special platform privileges. It instructs the agent to create and update files in the workspace and maintain heartbeat state — expected for a persistent agent design. Nothing in the package appears to modify other skills' configurations or force inclusion across agents.
Scan Findings in Context
[prompt-injection-pattern:ignore-previous-instructions] expected: The SKILL.md and references include examples of prompt-injection strings as patterns to detect (e.g., 'ignore previous instructions'). This is expected for a security-hardened proactive agent and appears to be included as defensive material, not as an active override.
[prompt-injection-pattern:you-are-now] expected: The string 'you are now' is listed as an injection pattern in references/security-patterns.md and HEARTBEAT.md. This is consistent with the skill's stated injection-detection purpose.
[prompt-injection-pattern:system-prompt-override] expected: The SKILL.md references 'system prompt override' style injections as things to detect and guard against; this is expected and part of the skill's defensive guidance.
What to consider before installing
What to consider before installing:
- Review contradictions: the repo mixes strong guardrails ('Nothing external without approval', 'confirm before deleting') with permissive phrases ('Don't ask permission. Just do it.' and 'Ask forgiveness, not permission'). Decide which behavior you expect and whether the agent will be human-gated for external actions.
- Audit the included shell script before running: scripts/security-audit.sh reads home-level config and logs (e.g., ~/.clawdbot/*, /tmp/clawdbot/*.log) and inspects files for possible secrets. Running it in a sandbox or CI runner first is safer.
- Sandbox first: because the agent is designed to write and update files (SESSION-STATE.md, USER.md, MEMORY.md, working-buffer.md) and can inspect other local config, test it in an isolated workspace or VM with no sensitive credentials present.
- Confirm credential handling: the skill expects a .credentials directory (gitignored) and will check permissions — ensure your real secrets aren't present during initial testing and that your credential storage meets the documented rules (chmod 600, not checked into git).
- Decide on autonomy: the skill encourages proactive actions (heartbeats, spawning research agents, attempting fixes). If you want tighter control, restrict the agent's ability to act autonomously in your platform or require manual approval steps.
- If you are unsure, classify as untrusted until you or a dev has manually validated the behavior in a controlled environment. The package is coherent with its stated purpose, but the autonomy/conflicting instructions and access to home-level config justify caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97bq11hgz7kwhj70dkhx6cghx820aeq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.