v2.0.0

Persona Builder

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:31 AM.

Analysis

This is mostly a local persona/workspace generator, but the templates it creates include persistent background-agent and inherited sub-agent permission patterns that should be reviewed before installation.

GuidanceUse this only after reviewing the generated AGENTS.md and MEMORY.md. It is reasonable for drafting local persona files, but remove or tightly bound background loops, auto-restarts, and `sandbox: inherit` sub-agent rules unless you explicitly want those behaviors. Keep generated identity, schedule, goals, and risk files private, and verify the research claims before relying on them.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

templates/AGENTS.template.md

[Managed sessions for background loops] ... Heartbeat monitoring: detects stalls, auto-restarts

The generated AGENTS.md template would tell future agents about background loops and auto-restart behavior, but the artifact does not define explicit opt-in, runtime limits, stop conditions, or user approval for those persistent sessions.

User impactA future agent could treat the generated workspace as permission to keep background work alive beyond the immediate task.

RecommendationRemove or disable these lines unless you intentionally want background workers. If kept, add explicit start/stop rules, owner approval, logging, and bounded schedules.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

references/generation-rules.md

Broader autonomy | External APIs/channels within safety bounds ... Full autonomy | Everything except irreversible financial/posting decisions

The generation rules can encode user-selected authority for future agents to interact with external APIs or channels. This is disclosed and user-directed, but it is high-impact if chosen casually.

User impactIf you select broad or full autonomy, generated instructions may authorize future agents to take actions outside local file drafting.

RecommendationPrefer draft-approve or reversible-only settings unless you have a clear operating policy for external systems. Add explicit approval requirements for posting, financial, account, or reputational actions.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusConcern

references/research-notes.md

informed by three peer-reviewed papers ... Authors: [Assumes multi-author work on semantic parsing and hierarchical structures]

The artifact claims peer-reviewed research backing while the same reference notes contain placeholder or assumed citation metadata, which can overstate the reliability of the autonomy and memory design.

User impactUsers may over-trust generated memory/autonomy rules because they are presented as research-backed despite internally uncertain citation details.

RecommendationTreat the research claims as design rationale, not verified safety evidence. Verify citations independently before relying on the claimed performance or safety benefits.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

README.md

Step 1: Run the interview
```bash
persona-builder
```

The package is described as instruction-only with no code files or required binaries, but the README documents a CLI-style command. This creates usage/provenance ambiguity if a separate executable appears.

User impactA user might try to run a command that is not represented by the reviewed artifacts.

RecommendationInvoke it through the documented OpenClaw skill mechanism or verify the source of any separate `persona-builder` executable before running it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

templates/AGENTS.template.md

When spawning sub-agents: - Use `sandbox: inherit` - Keep writes inside workspace

The template recommends inherited sandbox permissions for sub-agents. Although it limits writes to the workspace, it does not clearly specify sub-agent identity, allowed tools, data boundaries, or approval before spawning.

User impactSub-agents may inherit the same workspace/context and privileges as the main agent, increasing the chance that mistakes or poisoned instructions propagate.

RecommendationUse least-privilege sub-agent settings, require explicit approval before spawning, and document what files, tools, and context each sub-agent may access.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

README.md

Answer questions about your identity, goals, communication style, schedule, and personality, then get five ready-to-use files

The skill intentionally turns personal interview answers into persistent local workspace files that future agents may reuse as memory and operating context.

User impactYour name, schedule, goals, risks, preferences, and other personal details may persist in workspace files and could be committed or shared if you do not review them.

RecommendationReview and redact generated files before copying them into a workspace or git repository. Keep persona and memory files private if they include sensitive personal details.