Accountability
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill has a legitimate operations-tracking purpose, but it introduces persistent follow-up state and recurring command-based checks without clearly bounded approval, scope, or cleanup controls.
Install only if you want the agent to maintain persistent operations follow-up files and possibly run network-based verification commands. Before use, require approval for executing any stored command, keep credentials out of files, and do not enable any heartbeat cron unless you can inspect and remove the exact scheduled job.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A stale, unsafe, or tampered follow-up command could be executed against local systems or production services.
The workflow is driven by shell-style check commands stored in FOLLOWUPS.md and may run them at session start or through automation, but the visible artifact does not clearly require approval or limit command scope.
- **Check:** `<exact command to copy-paste>` ... `Check runs (manually, at session start, or via external automation)`
Require explicit user approval before running stored commands, keep checks read-only, and reject commands that mutate infrastructure, deploys, databases, or account state unless separately authorized.
A background job could continue running checks or modifying follow-up files after the immediate task is complete.
A recurring self-monitoring cron indicates persistent background behavior, but the supplied artifacts do not show the exact command, opt-in flow, disable instructions, or scope of what it monitors.
- Heartbeat cron configuration (every 2h) with self-monitoring
Only enable any heartbeat cron with explicit user consent, document the exact cron entry, provide a removal command, and keep it scoped to the intended workspace files.
Anyone or anything that can edit these files may affect future follow-up checks or operational decisions.
The skill intentionally persists operational context, commands, origins, deadlines, and histories across sessions; this is purpose-aligned but can influence later agent behavior.
`FOLLOWUPS.md` | Active tracking ledger (changes constantly) ... `ARCHIVE.md` | Audit trail of resolved items (append-only)
Keep the files in a trusted workspace, review entries before acting on them, and avoid storing secrets or sensitive internal details beyond what is necessary.
Verification commands may access production or internal services using the user's environment credentials.
The skill may rely on service credentials for verification checks; it appropriately says not to hardcode secrets, but users should still ensure credentials are scoped.
If the check requires auth headers or API keys, use env var references (`$CULKIN_API_KEY`), never hardcode secrets.
Use least-privilege tokens for checks, avoid broad admin credentials, and confirm that credential values are not written into FOLLOWUPS.md or ARCHIVE.md.
A user relying only on the registry summary may not realize the skill expects network-capable command checks.
The included manifest declares filesystem/network permissions and curl, while the registry summary reports version 0.1.0 and no required binaries; this is a metadata consistency issue rather than evidence of malicious behavior.
"version": "1.0.0" ... "permissions": ["filesystem", "network"] ... "bins": ["curl"]
Align registry metadata with claw.json and clearly disclose curl/network expectations in the published listing.