Proactive Agent
Security checks across malware telemetry and agentic risk
Overview
This skill is transparent about being proactive, but it gives the agent broad persistent-memory, autonomous-check-in, private-account-reading, and bootstrap-instruction authority without enough scoping or approval boundaries.
Install only if you intentionally want a persistent, proactive agent. Before enabling it, remove or constrain BOOTSTRAP.md auto-follow/delete behavior, set explicit approval rules for heartbeats and local changes, scope any email/calendar access, and define what may be stored in memory and for how long.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental BOOTSTRAP.md could redirect the agent's behavior or cause actions before the user reviews it, and deletion could remove the audit trail.
This makes any workspace file named BOOTSTRAP.md authoritative on first run and then removes the file, without showing trust checks, scoping, or user approval.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Require explicit user review before following any bootstrap file, restrict what bootstrap instructions may do, and do not delete it automatically.
The agent may act outside a direct user request, potentially reading private context or changing the local environment during background-style checks.
The heartbeat design encourages ongoing autonomous checks and local system cleanup, including app closing and moving files to trash, with unclear scheduling and approval boundaries.
Configure your agent to poll this during heartbeats... Close Unused Apps... Move old screenshots to trash... Things to check periodically: Emails - anything urgent? Calendar - upcoming events?
Enable heartbeats only with an explicit schedule and allowed-action list; require confirmation before closing apps, moving files, reading private accounts, or contacting the user.
If connected to account tools, the agent could inspect sensitive messages or calendar events without a fresh per-use approval or clear account/folder limits.
Email and calendar access involve private account data, but the metadata declares no credentials or scoped account requirements and the instructions treat these reads as freely allowed.
Do freely: ... Search the web, check calendars ... Things to check: Emails - urgent unread? Calendar - upcoming events?
Define which accounts and data types may be read, prefer read-only scoped permissions, and require user approval before enabling email or calendar monitoring.
Sensitive personal, business, or credential-adjacent details may be written into workspace files and later reused, synced, searched, or committed by mistake.
The skill intentionally persists user context and conversation details for future reuse, including broad logging after a context threshold, without clear exclusions, retention limits, or approval controls.
`SESSION-STATE.md` | Active working memory (current task) | Every message with critical details ... Once context hits 60%, EVERY exchange gets logged. No exceptions.
Set explicit memory boundaries: exclude secrets and sensitive categories, define retention and cleanup rules, keep memory files out of version control, and let the user review stored memories.
Running the script will read local filenames, file contents matching secret-like patterns, and configuration state, but it does not show network transmission or destructive behavior.
The user-directed audit script runs local shell commands to inspect credential permissions, common project files, gitignore settings, and a Clawdbot config.
for f in $(ls *.md *.json *.yaml *.yml .env* 2>/dev/null || true) ... CONFIG_FILE="$HOME/.clawdbot/clawdbot.json"
Review the script before running it and run it from the intended workspace only.