Lofy
ReviewAudited by ClawScan on May 10, 2026.
Overview
Lofy is a coherent life-management skill, but it asks the agent to keep persistent personal memory, run scheduled check-ins, use sensitive accounts/devices, and update its own instructions with limited scoping.
Only install this if you intentionally want a highly proactive personal assistant with access to private life-management data. Before enabling it, keep Lofy in a dedicated workspace, limit memory loading to private one-on-one sessions, review every cron job, use least-privilege credentials, and require confirmation before it changes files, sends messages, changes calendars, or controls smart home devices.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private personal details could be loaded into the agent context during group or shared-channel interactions, increasing the chance of accidental disclosure or context contamination.
The agent is instructed to automatically load personal profile and recent memory files in every session. Only MEMORY.md is explicitly limited to the main direct session, so daily logs and USER.md may still enter shared or group-channel contexts.
Before doing anything else: ... Read `USER.md` ... Read `memory/YYYY-MM-DD.md` (today + yesterday) ... If in MAIN SESSION ... Also read `MEMORY.md` ... Don't ask permission. Just do it.
Only load personal memory in trusted one-on-one sessions unless the user explicitly approves it; separate private and group memories; add clear path limits and review rules for what may be read.
Bad assumptions, prompt-injection content, or mistaken lessons could become standing instructions that affect future sessions.
The skill authorizes the agent to modify persistent behavior instructions and even relevant skills as it learns, without requiring user review of those instruction changes.
Learned a lesson → update AGENTS.md or the relevant skill
Require explicit user approval and a visible diff before changing AGENTS.md, SOUL.md, MEMORY.md policy sections, or any skill instructions.
The assistant could gain broad authority over private messages, schedules, and home devices if the user configures these integrations without carefully limiting permissions.
The skill expects access to sensitive accounts and devices, including email, calendar, and smart home control, but the provided metadata declares no primary credential, required env vars, or capability tags, and the instructions do not define narrow scopes or approval boundaries.
Heartbeat polling ... Unread emails ... Upcoming calendar events ... Google Workspace — Gmail, Calendar ... Home Assistant — Smart home
Declare all required credentials and capabilities, use least-privilege account scopes, and require explicit approval for any action that sends messages, changes calendars, or controls home devices.
The agent may inspect or change more workspace content than the user expects, including sensitive or unrelated files.
The instruction grants broad file-reading and workspace-organizing authority without path limits or a clear approval requirement for non-Lofy files. 'Organize' can imply moving or modifying user files.
Safe to do freely: Read files, explore, organize, search the web, work within workspace
Limit free actions to a dedicated Lofy directory and require confirmation before reading sensitive locations or moving, editing, deleting, or reorganizing user files.
The assistant may check accounts and send status messages on a schedule even when the user did not just invoke it.
The skill clearly discloses scheduled autonomous agent turns and heartbeat polling. This is aligned with the proactive-assistant purpose, but it creates persistent background activity the user should explicitly understand and control.
Use `openclaw cron` or the cron tool to create these. Each should be an `agentTurn` in an isolated session ... Configure heartbeat polling (every 30 min)
Set a limited schedule, keep an easy disable switch, review heartbeat logs, and avoid enabling account checks until permissions and channels are confirmed.