alexey-proactive-agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is not overtly malicious, but it gives the agent broad persistent memory, proactive account checks, and autonomous local actions that need careful user control.
Install only if you intentionally want a persistent proactive agent. Before use, inspect any BOOTSTRAP.md file, disable or tightly scope email/calendar access, make heartbeat cleanup report-only, and set clear rules for what may be written to memory and when persistent agent files may be changed.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A planted or stale BOOTSTRAP.md file could redirect the agent before the user has inspected it.
This makes a workspace file authoritative on first run and removes it afterward, without requiring source validation or user review.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Require the agent to show BOOTSTRAP.md to the user first, verify its source, and avoid deleting it automatically.
The agent could disrupt active work, close useful tabs, or move files unexpectedly during a proactive heartbeat.
The heartbeat checklist encourages local environment changes during periodic checks; although other files include some safety rules, this checklist does not clearly require a dry run or user approval before closing apps/tabs or trashing files.
Close Unused Apps ... Browser Tab Hygiene ... Close: Random searches, one-off pages ... Desktop Cleanup - Move old screenshots to trash
Make cleanup actions report-only by default and require explicit approval before closing apps, closing tabs, or moving files.
If the agent has mail or calendar tools, it may inspect sensitive account data as part of proactive monitoring.
The skill encourages periodic access to private email and calendar data, but the registry metadata declares no credentials, account scope, or approval boundary for those services.
Things to check periodically: - Emails - anything urgent? - Calendar - upcoming events?
Grant email/calendar access only after explicit opt-in, limit which accounts and folders/calendars are accessible, and require the agent to summarize what it will check before doing so.
Private conversation details, names, preferences, decisions, URLs, and other sensitive context may be stored locally and reused later.
The skill explicitly creates persistent files for conversation details and working memory, but does not clearly define retention, exclusions for secrets, review controls, or deletion procedures.
Working Buffer — Captures every exchange in the danger zone ... `SESSION-STATE.md` ... Every message with critical details
Use this only with a clear memory policy: opt in, exclude secrets and private documents, review memory writes, and provide a simple delete/export process.
A bad inference, prompt-injection-adjacent content, or mistaken lesson could become a future rule for the agent.
The agent is instructed to modify persistent operating rules and skill files from learned lessons without human approval, which can preserve mistaken or poisoned instructions across sessions.
Learn a lesson → update AGENTS.md, TOOLS.md, or skill file ... Don't wait for permission to improve.
Require human review before changing AGENTS.md, TOOLS.md, SOUL.md, or skill files, and keep version history for rollback.
The agent may perform periodic checks and initiate follow-ups rather than only responding to direct user requests.
Periodic heartbeat behavior and state tracking are central to the skill's proactive purpose, but users should understand that enabling it creates ongoing autonomous activity.
When you receive a heartbeat poll... Track state in: `memory/heartbeat-state.json` ... When to reach out: ... It's been >8h since you said anything
Enable heartbeats only if you want proactive monitoring, and set clear schedules, allowed checks, and notification limits.