Secretary
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill says it requires confirmation, but several included instructions tell the agent to send messages, reschedule meetings, and handle tasks automatically in the user’s name.
Review this skill carefully before installing. Its main file promises explicit confirmation, but other files instruct the agent to act without asking. Do not grant it direct email, calendar, inbox, travel, or booking authority unless you can enforce approval before every outward-facing or account-changing action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change meetings or send scheduling messages as you without your review.
This directs the agent to take high-impact calendar and communication actions without confirmation, despite the main skill description promising confirmation.
3. **Act:** I don't ask you. I handle it. ... I find the right slot, send confirmation in your voice ... I move the less important one ... I send apologies/reschedule requests in your name
Only use this skill if you or the platform enforce explicit approval before any email, calendar, booking, RSVP, archive, or reschedule action.
A user may trust the skill because it advertises confirmation, while hidden-in-plain-sight supporting instructions push the agent toward autonomous impersonation.
The safety promise in the main file is contradicted by another included instruction file, which could mislead a user about how much autonomy the skill will exercise.
SKILL.md: "This skill NEVER: - Sends emails or messages without user confirmation"; writing.md: "I don't draft for your approval. I write AS you."
Revise or remove the contradictory instructions and make confirmation requirements consistent across every file.
Messages could be sent in your name in ways recipients cannot distinguish from you, creating reputational, legal, or relationship risk.
The skill asks to operate under the user's identity and make communications indistinguishable from the user, which is high-impact delegated authority and not safely bounded by the artifacts.
When I send an email as you, the recipient shouldn't be able to tell the difference.
Require visible labeling, user review, and explicit approval for all outbound communications, especially anything sent as the user.
Incorrect or sensitive stored memory could influence future scheduling, communications, and decisions without the user noticing.
The skill persists and always reloads personal and professional memory, and it instructs learning from inferred patterns or context rather than only explicit user statements.
memory.md (HOT — Always Loaded) ... From patterns: Third time rescheduling Friday PM → add to protected time. ... From context: Big meeting tomorrow → prep without being asked.
Keep memory opt-in, reviewable, and editable; avoid storing inferred preferences unless the user explicitly confirms them.
If an agent follows these instructions with available tools, it may act as an always-on assistant rather than waiting for specific user requests.
Although there is no background code, the instructions describe ongoing autonomous monitoring and action beyond the on-demand, confirmation-gated behavior advertised in SKILL.md.
Every day I prepare ... Throughout the Day: **Active monitoring:** ... **Handoff:** If there's something urgent overnight, I'll handle the holding response.
Make daily monitoring and overnight handling explicitly user-triggered or platform-scheduled with clear permissions and approval gates.