Agent Autonomy Primitives
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about building autonomous agent loops, but it encourages recurring self-directed execution without clear approval, stop, or containment controls.
Install only if you intentionally want an agent to run a recurring self-directed task loop. Before enabling heartbeats or cron jobs, define allowed projects and tools, require approval for risky actions, keep logs, add a pause/kill switch, and use a private or tightly controlled vault.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use whatever tools or account access it already has to act on tasks without per-action confirmation.
The core loop directs the agent to select and execute queued work and create more work, but the artifact does not define human approval, permitted tools, task boundaries, or safeguards for high-impact actions.
3. Pick the highest-impact task executable RIGHT NOW 4. Execute it 5. On completion: clawvault task done <slug> ... 7. If new work discovered: clawvault task add "new task"
Add explicit approval gates for risky actions, restrict the task/project scope, allowlist permitted tools, and require logging before enabling the loop.
The agent may continue waking up and taking actions on a schedule after the initial setup, including acting on newly created tasks.
The skill recommends a recurring autonomous worker pattern. This is disclosed and purpose-aligned, but the artifact does not specify a kill switch, maximum runtime, pause mechanism, or containment boundary.
For cron-based agents, schedule a recurring job: Schedule: every 30 minutes Action: Read task queue, pick highest priority, execute, report
Only enable recurring execution with a clear owner, stop/pause control, monitoring, scoped vault, and limits on what the agent may do each cycle.
Incorrect, stale, sensitive, or untrusted vault entries could affect later agent decisions or expose private context to agents sharing the vault.
The skill intentionally stores persistent memory, including potentially personal or sensitive context, and reuses it to influence future task execution.
| `person` | `people/` | Contact info, relationship context | | `preference` | `preferences/` | How someone likes things done | ... - **Memory** feeds context into task execution
Keep the vault private, avoid storing secrets, review memory entries periodically, and separate sensitive or experimental agent state into different vaults.
Agents that can write to the same vault may influence each other’s task queues and memories.
The shared-vault collaboration model relies on conventions for ownership rather than an artifact-described identity, permission, or trust boundary.
Multiple agents sharing a vault need ownership conventions: 1. **Set `CLAWVAULT_PATH`** to the same directory for all agents 2. **Use `--owner`** on every task to prevent conflicts 3. **Convention:** agents only pick up tasks owned by them
Use shared vaults only with trusted agents, separate agents by project or vault when possible, and audit task ownership and memory changes.
Installing a global npm package can run package code and affect the local environment.
The setup requires installing an external npm CLI globally. This is expected for the skill’s purpose, but it means trust shifts to the external package.
npm install -g clawvault clawvault init
Verify the ClawVault package source and publisher before installing, and consider using a pinned version or isolated environment.