Action Bias
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is transparent, but it broadly pushes agents to send emails, post publicly, call APIs, and push code without clear approval or scope controls.
Install only if you deliberately want agents to take real external actions. Before use, add explicit approval gates, account allowlists, per-run limits, draft/review steps for emails and posts, pull-request workflows for code, and retention rules for outreach logs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent may prioritize doing something externally over giving the user a requested analysis, review, or plan.
This changes the agent's success condition from satisfying the user's requested deliverable to taking an external action. Although the skill later lists some cases where reports are acceptable, the core instruction is broad and mandatory.
Every agent session must produce at least one **externally visible action**. Internal files don't count.
Limit this skill to explicitly outbound tasks, and add a rule that public posts, emails, API writes, and code pushes require user approval unless the user has preauthorized that exact workflow.
If used with connected tools, the agent could send messages, publish content, or change code before a human reviews it.
The skill encourages high-impact tool use that can mutate third-party services, public channels, repositories, and accounts, but does not specify approval gates, scope limits, or reversibility.
External actions ... Sending an email ... Posting on social media ... Pushing code to a repo ... Making an API call that creates something ... Publishing content
Require explicit user confirmation for each external action type, maintain allowlists for accounts and destinations, and add safe defaults such as drafts-before-send and pull-request-before-push.
Connected email, social, API, or repository accounts could be used for real-world actions.
These actions typically rely on delegated account privileges. The artifacts do not request or handle credentials directly, but users should notice that the skill is intended to use whatever connected account authority the agent already has.
send emails, post content, make API calls, push code
Use least-privilege tool credentials, separate test/staging accounts from production accounts, and restrict which accounts the agent can use.
A single bad prompt change could lead to repeated emails, posts, submissions, or repository changes over time.
The guide recommends applying the action-first pattern to recurring agent jobs. If the prompt is overbroad, the same unsafe behavior could repeat across multiple scheduled sessions.
Write down every recurring agent session (cron jobs, heartbeat tasks, shifts).
Apply this only to selected workflows, add per-run action limits, monitoring, and easy disable controls, and audit recurring jobs before enabling external actions.
Outreach logs may retain contact information and message history beyond the immediate task.
The skill recommends storing prospect contact details and action proofs in local data or memory files. This is aligned with outreach tracking, but it creates persistent records that may include personal or business contact information.
Extract: name, company, URL, contact info. Save to data/prospect-pipeline.md ... memory/outreach-actions.md with addresses, subjects, URLs.
Define retention rules, avoid storing unnecessary personal data, protect the logs, and review them before reuse by future agents.