PARA + Proactive Agent Workspace
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a workspace and memory template, but it also tells an agent to run proactive background checks, access personal accounts, and push changes without clear opt-in or limits.
Install only if you want a persistent agent-memory workspace and are willing to review the templates. Before enabling heartbeats, email/calendar/social checks, or git pushing, edit AGENTS.md and HEARTBEAT.md to require explicit approval and clear scopes. Run the setup script only in an empty or backed-up directory, and keep memory/profile files out of git or public sync unless you intentionally want to share them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change a shared repository or accidentally publish private workspace or memory content.
Committing and pushing to a remote repository is an external, mutating action, but the template authorizes it without per-action approval, file limits, branch limits, or review of what may be published.
Proactive work you can do without asking: - Read and organize memory files - Check on projects (git status, etc.) - Update documentation - Commit and push your own changes
Require explicit user approval before any commit or push, show a diff first, restrict allowed repositories and branches, and exclude memory/profile files from version control.
If the agent has connected tools, it may read email, calendar, or social-notification data during background checks without a fresh prompt.
These checks require access to sensitive personal accounts, but the skill metadata declares no credential or configuration contract and the templates do not define scopes or consent requirements.
Things to check (rotate through these, 2-4 times per day): - Emails - Any urgent unread messages? - Calendar - Upcoming events in next 24-48h? - Mentions - Twitter/social notifications?
Make each account integration opt-in, document required credentials and scopes, and require user confirmation before enabling periodic account checks.
If heartbeats are enabled, the agent may keep checking accounts, updating files, or reaching out after the original workspace setup task is finished.
The template is designed for periodic polling and background work outside a direct user request, but the artifacts do not provide a clear opt-in flow, schedule boundary, or stop control.
> Configure your agent to poll this during heartbeats.
Keep heartbeat behavior disabled until explicitly configured, define allowed tasks and frequency, and provide a simple way to pause or disable all background activity.
A malicious or accidental BOOTSTRAP.md file in the workspace could redirect the agent's behavior and then be removed, making the change harder to audit.
This makes a local file authoritative over the agent's identity or goals and then deletes it, without source validation or user confirmation.
If `BOOTSTRAP.md` exists, that's your birth certificate. Follow it, figure out who you are, then delete it.
Treat bootstrap files as untrusted until approved by the user, summarize their contents before following them, and do not delete them automatically.
Personal details, preferences, decisions, and conversation summaries may remain on disk and be reused later.
Persistent memory is central to the skill and is disclosed, but it stores personal context and chat-derived facts in files that can influence future sessions.
WAL Protocol (Write-Ahead Logging) Trigger on EVERY message... Rule: Write to memory FIRST, then respond.
Keep the workspace private, review memory files regularly, avoid storing secrets, and exclude memory/profile files from git or cloud sync unless intentionally shared.
Manual setup may stop after creating or overwriting some files, requiring cleanup or rerun.
The provided manifest does not include assets/templates/.agents/README.md; because the script uses set -e, the optional setup can fail partway through and leave a partial workspace.
set -e ... cp "$TEMPLATE_DIR/.agents/README.md" .agents/
Fix the missing referenced template or guard the copy command, and run the setup script only in a new or backed-up directory.