Autonomous Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and does what it advertises, but its defaults allow unattended autonomous Claude Code sessions with bypassed permission prompts and no default session cap.
Install only if you are comfortable with autonomous Claude Code runs. Before using it, change the permission mode to a safer setting unless you explicitly want bypassPermissions, set finite max sessions or iterations, run it in a disposable branch or workspace, and review the .autonomous and .claude state files regularly.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A launched task may continue making file or command changes without the normal approval prompts a user might expect.
The headless runner defaults child Claude Code sessions to bypass normal permission checks. In an autonomous loop that can edit project files and run commands, this creates high-impact action authority without per-action approval.
DEFAULT_PERMISSION_MODE="bypassPermissions" ... args+=(--permission-mode "$opt_permission_mode")
Default to a safer permission mode, require explicit user opt-in for bypassPermissions, and strongly recommend finite --max-sessions, scoped --add-dir values, and review checkpoints.
A task can keep running, spending budget and modifying the project until it decides it is complete or the user manually stops it.
The advertised default behavior supports unattended, repeated agent execution with no built-in session or iteration cap unless the user supplies one.
Spawns `claude -p` child sessions in a bash loop. Best for background/unattended work. ... `--max-sessions N` | Stop after N sessions | Unlimited ... `--max-iterations N` | Max loop iterations | Unlimited
Use explicit maximum sessions or iterations for every run, monitor logs, and avoid background execution on important repositories unless changes are contained and reversible.
The agent may resume work when the session tries to stop, which can surprise users if they forget the loop is active.
When hook mode is active, the Stop hook can prevent the session from ending and re-inject the stored prompt, creating persistent autonomous behavior until completion, max iterations, or manual deletion of the state file.
# Block exit, feed prompt back ... "decision": "block", "reason": $prompt
Make loop activation highly visible, require a finite max iteration count by default, and document cancellation before setup.
A user may install or run the skill believing it will use a safer default permission mode than it actually uses.
The user-facing SKILL.md table says the permission-mode default is 'auto', while the included runner code sets DEFAULT_PERMISSION_MODE to 'bypassPermissions'. That mismatch can cause users to underestimate the authority granted to autonomous sessions.
`--permission-mode <m>` | Permission mode | auto
Correct the documentation or change the script default so the displayed permission default matches the actual behavior.
Incorrect or tampered task/progress files could cause later sessions to do the wrong work or trust bad instructions.
The skill intentionally uses persistent markdown files as cross-session memory and asks future agents to rely on them. This is purpose-aligned, but those files can steer later autonomous sessions if they are corrupted or modified.
You have NO memory of previous sessions — your state comes entirely from the files below. ... Read `{TASK_DIR}/task_list.md` ... Read `{TASK_DIR}/progress.md` ... Tasks are ordered by dependency — trust the orderReview .autonomous task files before continuing long-running work, keep them in version control where appropriate, and avoid letting untrusted contributors edit them.
The skill may fail or rely on a local CLI/account setup that was not obvious from the registry requirements.
The script requires the local Claude CLI even though the registry metadata declares no required binaries. This is a dependency declaration gap rather than evidence of malicious behavior.
if ! command -v claude &> /dev/null; then ... "'claude' CLI not found. Install: https://claude.ai/code"
Declare required binaries and expected versions in metadata, including any shell tools needed by the hook.