proactive-agent-3.1.0
Security checks across malware telemetry and agentic risk
Overview
This looks like a real proactive-agent template rather than an exfiltration tool, but it gives the agent broad persistent memory and autonomous local/account actions that need careful review.
Install only if you intentionally want a persistent proactive assistant. Before enabling it, edit the copied AGENTS/HEARTBEAT/SOUL files to require approval for BOOTSTRAP.md, email/calendar access, cleanup/deletion, external actions, and self-modification; protect or gitignore memory files; and review the audit script manually before running it.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental BOOTSTRAP.md in the workspace could redirect the agent's behavior and then be deleted, making the change harder to review.
This makes an arbitrary workspace file authoritative on first run and then removes it, without validating who created it or requiring user approval.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Require explicit user approval before following any BOOTSTRAP.md, show its contents first, and do not delete it automatically.
Private conversation details, preferences, names, projects, and decisions may be written to local files and reused in future sessions.
The skill instructs the agent to persist conversational details into workspace memory files, but the artifacts do not define retention limits, exclusions for sensitive content, or review controls.
`SESSION-STATE.md` | Active working memory (current task) | Every message with critical details
Before use, decide what may be stored, add exclusions for secrets/private topics, gitignore or protect memory files, and periodically review/delete stored memory.
A mistaken or manipulated update could change how the agent behaves later, affecting many future tasks without the user noticing.
The agent is told to modify its own operating instructions and tool notes immediately, which can persist a bad lesson or poisoned rule across future sessions.
After every mistake or learned lesson: 1. Identify the pattern 2. Figure out a better approach 3. Update AGENTS.md, TOOLS.md, or relevant file immediately Don't wait for permission to improve.
Require diff review and explicit approval before changing AGENTS.md, TOOLS.md, SOUL.md, skill files, or other persistent instruction files.
The agent could interrupt work, close useful applications, or move files unexpectedly during a periodic check.
The heartbeat checklist encourages local environment mutations, including closing apps and trashing files, without an explicit approval gate in that section.
Close Unused Apps... Safe to close: Preview, TextEdit, one-off apps Desktop Cleanup - Move old screenshots to trash
Change cleanup actions to report-only by default and require user confirmation before closing apps, moving files, or deleting/trashing anything.
If the agent has email or calendar tools, it may inspect personal or business account data during proactive checks beyond what the user expected.
The skill asks the agent to use sensitive account/workspace access if available, while the registry metadata declares no primary credential or required configuration path and the artifacts do not scope which mailboxes/calendars may be read.
Things to check periodically: - Emails - anything urgent? - Calendar - upcoming events?
Explicitly configure which accounts/calendars may be checked, when checks may run, and what summaries may be stored or shown.
The agent may periodically inspect state and contact the user even when not directly invoked, depending on the host environment.
Periodic heartbeat behavior and proactive reach-outs are disclosed and central to the skill, but they mean the agent may act between direct user prompts.
Configure your agent to poll this during heartbeats... When to reach out: Important email arrived... Calendar event coming up (<2h)... It's been >8h since you said anything
Enable heartbeat polling only if desired, set quiet hours and allowed checks, and disable proactive reach-outs for sensitive workspaces.
It may be harder to confirm that the package identity and publisher match what the user intended to install.
The included metadata differs from the registry metadata shown for owner, slug, and version, and the source/homepage are unknown, which weakens provenance clarity.
"ownerId": "kn7agvhxan0vcwfmhrjhwg4n9s802d7k", "slug": "proactive-agent", "version": "3.1.0"
Verify the publisher and version out-of-band before trusting the skill, especially because it changes persistent agent behavior.
Running the script will inspect local files and configuration, which is expected for an audit but should still be user-initiated.
The optional audit script reads local workspace files, .env-style files, and a local Clawdbot config to check security posture; the provided script does not show network transmission or destructive actions.
for f in $(ls *.md *.json *.yaml *.yml .env* 2>/dev/null || true); do ... CONFIG_FILE="$HOME/.clawdbot/clawdbot.json"
Review the shell script before running it and execute it only from the workspace you intend to audit.