v3.1.2

Autonomous Agent Toolkit

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

The toolkit is not visibly malicious, but it should be reviewed because it encourages recurring autonomous agents, persistent memory, and scheduled external actions that can continue without per-action review.

GuidanceInstall this only if you intentionally want to build scheduled autonomous agents. Before enabling any cron, edit the generated SOUL.md, AGENTS.md, and HEARTBEAT.md with precise allowed actions, red lines, human approval requirements, logging, and a kill switch. Avoid putting secrets in memory files, and do not connect posting, sales, or account APIs until you have draft/review gates and rollback plans.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Configure cron jobs for autonomous operation ... --message "Check HEARTBEAT.md. Execute pending tasks. Reply HEARTBEAT_OK if nothing."

The documented workflow creates recurring OpenClaw jobs that can keep invoking an agent and performing pending tasks outside the user's immediate session.

User impactIf enabled too broadly, the agent can continue acting on a schedule after setup, including when the user is not actively watching.

RecommendationOnly enable cron jobs intentionally. Define narrow allowed actions, explicit approval requirements, logs, and a tested kill switch before turning on autonomous schedules.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

references/cron-patterns.md

Content Scheduling ... --message "Read memory/x-trend-ideas.md and memory/x-analytics-log.md. Write and schedule tomorrow's posts using winning formats."

The reference material gives a recurring automation pattern that can create and schedule public content without an approval step in the cron message itself.

User impactIf a user adopts this pattern without adding review gates, the agent could publish or schedule external content that affects reputation or accounts.

RecommendationUse draft-only workflows by default, require human approval before posting or account changes, and set hard rate limits and rollback procedures.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown ... Version: 3.1.2 ... Required binaries (all must exist): none

The registry data gives an unknown source and no binary requirements even though SKILL.md instructs running python3 and openclaw cron commands; _meta.json also reports version 3.1.1.

User impactThe registry view may not fully communicate what tools and package version the user is actually relying on.

RecommendationVerify the source repository and version, inspect scripts before running them, and run the generator only in a controlled directory.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

`USER.md` | Context about the human operator | `MEMORY.md` | Long-term curated knowledge (agent maintains this)

The generated agent design stores operator context and persistent memory that future sessions are expected to read and trust.

User impactSensitive personal or operational details could persist in agent files, and incorrect entries could influence later autonomous behavior.

RecommendationKeep secrets out of memory files, review MEMORY.md and daily logs regularly, and add clear rules for what may be stored, retained, or deleted.