ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proactive Agent (XiaoDing)

v3.1.2

Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autono...

0· 55·0 current·0 all-time
by@asterisk622·duplicate of @cp33333333333/proactive-agent1·canonical: @halthelobster/proactive-agent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match what the files and SKILL.md actually do: define a proactive agent architecture that reads/writes workspace memory files, onboarding, and heartbeat checks. It does not request unrelated environment variables, binaries, or external credentials in its manifest. The included security-audit script and many documentation assets are proportional to the stated purpose. One minor mismatch: AGENTS.md contains the ambiguous directive "Don't ask permission. Just do it." which conflicts with other guardrails that require explicit human approval for external/irreversible actions.
Instruction Scope
Runtime instructions tell an agent to copy assets, read and update workspace files (ONBOARDING.md, SESSION-STATE.md, memory/*, etc.), run the included security-audit.sh, and perform semantic/search operations and web research. Those actions are consistent with building a persistent, proactive agent, but they give the agent broad discretion to read and write many workspace files and to perform web searches / spawn research agents. The SKILL.md and references include example prompt-injection phrases (which triggered pre-scan signals) as part of detection guidance — this is expected, but reviewers should confirm those phrases are only used as examples and not as active overrides. Also note the contradictory instruction about not asking permission vs. explicit gating for external actions; that ambiguity could lead to unexpected autonomous behavior.
Install Mechanism
Instruction-only skill with no install spec and no downloads — lowest install risk. The only executable artifact is scripts/security-audit.sh included in the repo; running it is optional and explicitly an audit step.
Credentials
The skill declares no required environment variables or credentials. Docs reference a .credentials directory (gitignored) as the expected place for any API keys, but no secrets are requested by the skill itself. The security-audit.sh checks for .credentials and .gitignore entries; this is reasonable for a local agent architecture. There is no unexplained demand for cloud or unrelated service credentials.
Persistence & Privilege
The skill is not marked always:true and does not demand system-wide privileges. It instructs writing to workspace files (SESSION-STATE.md, memory, etc.), which is expected for this type of agent. It does not attempt to modify other skills or agent platform configs in the manifest.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md and references include this phrase as an example of prompt-injection patterns to detect and defend against. The scanner flagged it because it's present in documentation; for this skill the appearance is for detection rather than malicious override.
[you-are-now] expected: This helper phrase appears in security-patterns and examples showing what prompt-injection looks like. Its presence in docs is expected for an agent security guide, but confirm it isn't used to attempt to change runtime system prompts.
[system-prompt-override] expected: The materials list this as an injection pattern to look for. It's fine in the context of a security-patterns reference, but reviewers should ensure no live code actually performs system-prompt replacement or accepts such overrides from untrusted sources.
What to consider before installing
This skill is broadly coherent for building a proactive, persistent agent: it reads and writes workspace files, provides onboarding and heartbeat patterns, and includes a local security audit script. Before installing or enabling it, do the following: 1) Read SKILL.md, AGENTS.md, and references/security-patterns.md yourself — confirm the prompt-injection phrases are only examples for detection and not used to change system prompts at runtime. 2) Inspect the included scripts/security-audit.sh and run it in a safe environment (it only reads repository files and local configs). 3) Look at AGENTS.md's guidance that says "Don't ask permission. Just do it." — clarify or remove this line if you expect the agent to require explicit approval for actions that leave the machine or alter external systems. 4) Ensure .credentials is gitignored and any credentials you place there are protected (chmod 600). 5) If you plan to grant the agent network access, email, or tool integrations (browsing, GitHub, sending messages), consider testing in a restricted environment first and ensure action-gating is enforced (explicit human approval for external/irreversible actions). If you want, I can produce a short checklist of files/lines to inspect or a minimal test plan to verify the skill's behavior safely.
!
assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9719mbq6h26eesc297kvn79qx83eas1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments