PARA + Proactive Agent Workspace
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: para-proactive-workspace Version: 1.0.2 The OpenClaw AgentSkills skill bundle provides a workspace template with extensive documentation and agent instructions. The `scripts/setup-workspace.sh` script performs only local file system operations (`mkdir`, `cp`, `cat`) without any remote execution or suspicious commands. Crucially, the agent's operating instructions within files like `AGENTS.md`, `SOUL.md`, and `HEARTBEAT.md` explicitly promote strong security practices, including prohibitions against data exfiltration, destructive commands without confirmation, executing instructions from external content, and strict rules for handling sensitive memory (`MEMORY.md`) in shared contexts. The skill actively mitigates prompt injection and data leakage risks through its internal directives.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change a shared repository or accidentally publish private workspace or memory content.
Committing and pushing to a remote repository is an external, mutating action, but the template authorizes it without per-action approval, file limits, branch limits, or review of what may be published.
Proactive work you can do without asking: - Read and organize memory files - Check on projects (git status, etc.) - Update documentation - Commit and push your own changes
Require explicit user approval before any commit or push, show a diff first, restrict allowed repositories and branches, and exclude memory/profile files from version control.
If the agent has connected tools, it may read email, calendar, or social-notification data during background checks without a fresh prompt.
These checks require access to sensitive personal accounts, but the skill metadata declares no credential or configuration contract and the templates do not define scopes or consent requirements.
Things to check (rotate through these, 2-4 times per day): - Emails - Any urgent unread messages? - Calendar - Upcoming events in next 24-48h? - Mentions - Twitter/social notifications?
Make each account integration opt-in, document required credentials and scopes, and require user confirmation before enabling periodic account checks.
If heartbeats are enabled, the agent may keep checking accounts, updating files, or reaching out after the original workspace setup task is finished.
The template is designed for periodic polling and background work outside a direct user request, but the artifacts do not provide a clear opt-in flow, schedule boundary, or stop control.
> Configure your agent to poll this during heartbeats.
Keep heartbeat behavior disabled until explicitly configured, define allowed tasks and frequency, and provide a simple way to pause or disable all background activity.
A malicious or accidental BOOTSTRAP.md file in the workspace could redirect the agent's behavior and then be removed, making the change harder to audit.
This makes a local file authoritative over the agent's identity or goals and then deletes it, without source validation or user confirmation.
If `BOOTSTRAP.md` exists, that's your birth certificate. Follow it, figure out who you are, then delete it.
Treat bootstrap files as untrusted until approved by the user, summarize their contents before following them, and do not delete them automatically.
Personal details, preferences, decisions, and conversation summaries may remain on disk and be reused later.
Persistent memory is central to the skill and is disclosed, but it stores personal context and chat-derived facts in files that can influence future sessions.
WAL Protocol (Write-Ahead Logging) Trigger on EVERY message... Rule: Write to memory FIRST, then respond.
Keep the workspace private, review memory files regularly, avoid storing secrets, and exclude memory/profile files from git or cloud sync unless intentionally shared.
Manual setup may stop after creating or overwriting some files, requiring cleanup or rerun.
The provided manifest does not include assets/templates/.agents/README.md; because the script uses set -e, the optional setup can fail partway through and leave a partial workspace.
set -e ... cp "$TEMPLATE_DIR/.agents/README.md" .agents/
Fix the missing referenced template or guard the copy command, and run the setup script only in a new or backed-up directory.