Proactive Agent V2
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it asks the agent to become highly persistent and autonomous over local memory, files, and account checks with weak approval boundaries.
Install only if you want a proactive, persistent agent and are comfortable defining strict boundaries. Before use, remove or gate BOOTSTRAP.md auto-follow/delete behavior, require approval for cleanup and rule changes, limit email/calendar access, keep memory files private, and periodically review what the agent has stored.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A file placed in the workspace could steer the agent's behavior and then be deleted, making it harder for the user to review what happened.
This makes a workspace file an automatic startup instruction source and removes it afterward, without origin validation or user approval.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Disable automatic BOOTSTRAP execution/deletion, or require the agent to show the file contents and get explicit approval before following or removing it.
The agent could disrupt the user's local session or move files unexpectedly during proactive maintenance.
The heartbeat checklist encourages periodic local environment changes, including closing apps and moving files to trash, without repeating an explicit approval step.
### Close Unused Apps Check for apps not used recently, close if safe. ... ### Desktop Cleanup - Move old screenshots to trash
Require confirmation before closing apps, moving files, cleaning the desktop, or making any other local-environment change.
If the agent has connected email or calendar tools, it may read private account information proactively and repeatedly.
The skill tells the agent to inspect sensitive account data during periodic checks, but the metadata declares no credentials and the artifacts do not bound which accounts, folders, calendars, or time windows may be accessed.
Things to check periodically: - Emails - anything urgent? - Calendar - upcoming events?
Limit the agent to specific accounts/calendars, define read-only scopes and frequency, and require user approval before enabling these checks.
Users have less information for deciding whether to trust the author and packaged script.
The skill includes instructions and a shell script but has incomplete provenance information.
Source: unknown Homepage: none
Review the included files before copying them into a workspace or running the audit script, especially because the skill changes persistent agent behavior.
Personal details and conversation context may be written down and reused across sessions longer than the user expects.
The memory design persists critical details from messages into local state files, and related artifacts also store user profile, relationships, preferences, and long-term memories.
`SESSION-STATE.md` | Active working memory (current task) | Every message with critical details
Define what may be remembered, where it is stored, retention/deletion rules, and require review before persisting sensitive personal or business information.
Private task context could be passed to additional agents if the user's environment supports that workflow.
The troubleshooting guidance includes spawning other agents, but the artifacts do not specify what context may be shared with them or how their identity and permissions are bounded.
Use every tool: CLI, browser, web search, spawning agents
Only spawn sub-agents with explicit user approval and provide minimal, redacted context unless sharing is clearly intended.
The agent's rules may drift over time, and future behavior may be influenced by automatically written instructions or mistaken lessons.
The skill encourages the agent to modify persistent operating rules and related files on its own, which can change future agent behavior without a user-reviewed diff.
Update AGENTS.md, TOOLS.md, or relevant file immediately Don't wait for permission to improve.
Require user approval or at least visible diffs before changing AGENTS.md, TOOLS.md, skill files, or other persistent instruction sources.