Abby Autonomy
PassAudited by ClawScan on May 10, 2026.
Overview
The skill mainly manages a local task queue and status file for proactive work, with no evidence of credential theft or hidden network activity, but it is designed to let Abby work autonomously if heartbeat scheduling is enabled.
Install this only if you want Abby to proactively work from a local queue. Review queued tasks before enabling any recurring heartbeat or cron setup, keep the queue writable only by trusted users, and avoid placing secrets in task descriptions or persistent state files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a heartbeat or cron job is configured, Abby may start queued tasks without a new prompt each time.
The skill is intentionally designed for recurring autonomous work from a queue. This is disclosed and central to the purpose, but it changes Abby from user-prompted behavior to proactive task-taking.
每3分钟: 1. 检查紧急事项 2. 检查当前任务状态 3. 如果空闲 → 拿任务做 4. 完成后更新队列
Keep the queue under trusted user control, define which task types require human approval, and disable heartbeat scheduling if you do not want proactive execution.
Task names and progress can persist across runs and influence future behavior; sensitive task text could remain in local files.
The skill writes persistent task state, including current task and progress, to a local memory file.
with open(self.state_file, 'w') as f:
json.dump(state, f, indent=2)Avoid putting secrets in task names, and periodically review or clear tasks/QUEUE.md and memory/task_state.json.
Runtime behavior may depend on another locally installed skill or path layout, so a modified or unexpected dependency could affect imports.
The script modifies Python import resolution toward another local skill path before importing scripts modules. SKILL.md also lists long-term-memory as a dependency, but the registry metadata and install spec do not pin or validate that dependency.
sys.path.insert(0, str(Path(__file__).parent.parent.parent / 'workspace' / 'skills' / 'long-term-memory'))
Use only trusted local skills, declare/pin the long-term-memory dependency, and avoid ambiguous sys.path changes where possible.