v3.1.3

Proactive Agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:05 AM.

Analysis

Review before installing: the skill is mostly coherent with its proactive-agent purpose, but it asks the agent to persist private context, inspect email/calendar, change local/browser state, and rewrite its own operating notes.

GuidanceInstall only if you want a highly proactive, memory-based agent. Before enabling it, decide what it may remember, which files/accounts it may inspect, whether heartbeats are allowed, and which actions require explicit approval. Review the memory files and any changes to AGENTS.md or skill files regularly.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

assets/HEARTBEAT.md

Close Unused Apps ... Browser Tab Hygiene ... Close: Random searches, one-off pages ... Desktop Cleanup - Move old screenshots to trash

The heartbeat checklist tells the agent to make local environment changes, including closing apps/tabs and moving files, without clearly requiring user approval in that workflow.

User impactThe agent could disrupt open work, close useful browser tabs, or move files unexpectedly during proactive maintenance.

RecommendationRequire explicit confirmation before closing apps, closing tabs, moving files, deleting files, or changing desktop state; limit cleanup to user-selected paths.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

assets/AGENTS.md

Learn a lesson → update AGENTS.md, TOOLS.md, or skill file ... Don't wait for permission to improve. If you learned something, write it down now.

The agent is told to alter future operating rules and skill files based on learned lessons without human review, so a mistaken or poisoned lesson can persist across sessions.

User impactA bad assumption or maliciously influenced note could become a standing rule that affects future behavior.

RecommendationRequire human review for changes to AGENTS.md, TOOLS.md, SOUL.md, or skill files; separate raw observations from executable operating instructions.

Rogue Agents

SeverityLowConfidenceHighStatusNote

assets/AGENTS.md

When you receive a heartbeat poll ... Track state in: `memory/heartbeat-state.json` ... When to reach out: ... It's been >8h since you said anything

The skill is designed for ongoing heartbeat-driven activity and proactive outreach, which is disclosed and purpose-aligned but means the agent may act outside a direct user prompt.

User impactThe agent may periodically inspect state and initiate check-ins if heartbeat polling is enabled.

RecommendationEnable heartbeats only if desired, define quiet hours, and restrict what heartbeat runs are allowed to inspect or change.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

Run security audit: `./scripts/security-audit.sh`

The skill includes a user-directed shell audit script. The provided script content appears security-audit focused and does not show hidden network calls, but it still executes local commands and reads local files/configuration.

User impactRunning the audit may inspect local credential-file permissions, common config files, gitignore contents, and Clawdbot configuration.

RecommendationReview the script before running it and execute it only in the intended workspace.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown
Homepage: none

The registry metadata provides limited provenance for a package that contains operating-rule files and a shell script.

User impactUsers have less external context for deciding whether to trust the author and package lineage.

RecommendationPrefer installing from known sources, review the included files, and verify the author/package identity before use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

assets/HEARTBEAT.md

Things to check periodically:
- Emails - anything urgent?
- Calendar - upcoming events?

The skill instructs periodic access to private email and calendar data, but the registry requirements declare no credential or configuration scope, leaving account boundaries unclear.

User impactIf connected to tools with account access, the agent may inspect sensitive messages or calendar events more broadly than the user expects.

RecommendationDefine which accounts may be accessed, require read-only scopes where possible, and ask for explicit approval before enabling email or calendar checks.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

`SESSION-STATE.md` | Active working memory (current task) | Every message with critical details ... `MEMORY.md` | Curated long-term wisdom

The active skill instructs the agent to persist conversation details and long-term context into workspace memory files, which can capture sensitive personal or business information and reuse it in later sessions.

User impactPrivate details, preferences, names, decisions, and work context may be written to persistent files and later treated as trusted memory.

RecommendationUse only in a workspace where persistent memory is acceptable, define what must not be saved, and periodically review, prune, or delete the memory files.