Proactive Agent 3.1.0
WarnAudited by ClawScan on May 10, 2026.
Overview
This is not clear malware, but it gives the agent broad proactive autonomy, persistent personal memory, private account checks, and self-updating behavior without tight user-controlled boundaries.
Install only if you want a highly autonomous, memory-heavy agent. Before enabling it, limit tools and accounts, disable or scope heartbeats, require approval for email/calendar/messaging access and local cleanup, review all persistent memory files regularly, and inspect the shell script before running it.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal details, decisions, relationships, preferences, and work context may be saved and reused across sessions in local files.
The skill instructs the agent to persist user-specific details from messages into workspace memory files, but the artifacts do not define retention, redaction, encryption, exclusion paths, or when the user can opt out.
`SESSION-STATE.md` | Active working memory (current task) | Every message with critical details
Use only with explicit memory opt-in, clear retention rules, sensitive-data exclusions, and a review process before memory is reused or shared.
The agent could periodically inspect private context and initiate work or notifications when the user did not directly ask.
The skill is designed for periodic proactive checks and outreach, which can make the agent operate outside a direct user request unless heartbeat scope and approvals are tightly configured.
When you receive a heartbeat poll... Things to check: Emails - urgent unread? Calendar - upcoming events? Logs - errors to fix?... When to reach out: ... It's been >8h since you said anything
Disable or tightly scope heartbeats by default, require opt-in per data source, and require user approval before any outreach or background task.
If the host agent has powerful tools, this skill could cause broad local or account inspection and tool use beyond what the user expected.
The instructions broadly authorize local file exploration, web activity, calendar checking, CLI/browser use, and spawned agents without defining allowed paths, accounts, tool permissions, or approval checkpoints.
**Do freely:** - Read files, explore, organize, learn - Search the web, check calendars - Work within the workspace ... Use every tool: CLI, browser, web search, spawning agents
Limit tool permissions, define allowed workspaces and accounts, and require explicit approval for CLI, browser automation, calendar/email access, or spawned-agent delegation.
Private email and calendar contents could be read if the agent has connected account tools or sessions.
The skill directs the agent to inspect private communications and calendar data, while the registry declares no credential or configuration requirements and the artifacts do not scope which accounts may be accessed.
Things to check periodically: - Emails - anything urgent? - Calendar - upcoming events?
Do not connect email, calendar, WhatsApp, Telegram, or similar accounts unless the user explicitly opts in and the allowed accounts, read/write permissions, and approval rules are documented.
Bad assumptions or maliciously influenced notes could become future operating rules and compound over time.
The agent is told to modify persistent operating files immediately, so a mistaken lesson or poisoned context could change behavior across future sessions.
After every mistake or learned lesson: 1. Identify the pattern 2. Figure out a better approach 3. Update AGENTS.md, TOOLS.md, or relevant file immediately Don't wait for permission to improve.
Require review before changes to AGENTS.md, SOUL.md, TOOLS.md, skill files, or other instruction-bearing files become active.
Running the script gives it read access to local workspace files and selected local configuration paths.
The included shell script performs local audit checks, including reading workspace files and a home-directory config path. It appears purpose-aligned and user-directed, with no network exfiltration or destructive command shown.
CONFIG_FILE="$HOME/.clawdbot/clawdbot.json"
Inspect the script before running it, run it from the intended workspace, and avoid running it with elevated privileges.
Users have less assurance about origin, authorship, and which version they are installing.
The embedded metadata differs from the registry header's owner ID, slug, and version, and the source/homepage are unknown. This is a provenance ambiguity, not direct evidence of malicious behavior.
"ownerId": "kn7agvhxan0vcwfmhrjhwg4n9s802d7k", "slug": "proactive-agent", "version": "3.1.0"
Verify the publisher and version out of band before installing, especially because the skill changes persistent agent behavior.