Dreaming
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill largely matches its creative heartbeat purpose, but an editable state value can be turned into Python code during automated heartbeat checks.
Review the script before enabling it in HEARTBEAT.md. If you use it, fix or constrain dreamChance handling, protect data/dream-state.json from untrusted edits, and periodically review or delete generated memory/dreams files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the state file is edited incorrectly or poisoned by another local process or skill, the next heartbeat run could execute unintended Python commands with the agent user's permissions.
A value loaded from data/dream-state.json is inserted directly into Python source code instead of being validated as a number or passed as data.
DREAM_CHANCE=$(echo "$STATE" | jq -r '.dreamChance // 1.0') ROLL=$(python3 -c "import random; print(1 if random.random() < $DREAM_CHANCE else 0)")
Validate dreamChance as a numeric value before use, or pass it to Python through an environment variable or argv and parse it as float rather than interpolating it into code.
After setup, the agent may periodically create journal-like files during quiet hours.
The skill is designed to run from a recurring heartbeat routine and create output without a direct user request each time.
Add this section to your heartbeat routine (during quiet hours)... If DREAM_TOPIC is set: ... Write a thoughtful exploration to memory/dreams/YYYY-MM-DD.md
Only add the heartbeat hook if you want autonomous quiet-hours writing, and keep the maxDreamsPerNight and dreamChance settings low enough for your comfort.
Speculative or creative agent-written content could be mistaken for reliable memory if it is later fed back into the agent.
The skill intentionally creates persistent generated content that may later be reviewed or reused as context.
memory/dreams/YYYY-MM-DD.md — Dream output files (written by the agent, not the script)
Keep dream files separate from authoritative project notes and review them before using them as context for future work.