AI Persona OS
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may ask to run shell commands that create or inspect files in the workspace.
The skill directs the agent to run local setup commands itself instead of asking the user to run them. This is disclosed and approval-gated, but it gives the agent local command execution during setup.
You have the exec tool. USE IT. Run every command yourself via exec. Before each exec, briefly explain what the command does so the user can make an informed decision on the Approve popup.
Review each exec approval prompt and only approve commands that stay within the stated ~/workspace scope.
Information written into the workspace may shape future agent behavior and could include personal, business, or team context.
The skill establishes persistent local files that influence future agent behavior and store user/persona context. This is central to the skill, but persistent memory can preserve sensitive or incorrect information if not maintained.
Every session: 1. Read this file (SOUL.md) — Remember who you are 2. Read USER.md — Remember who you serve 3. Read SECURITY.md — Remember the risks 4. Check recent memory
Periodically review SOUL.md, USER.md, MEMORY.md, and related files, and avoid storing secrets or unverified instructions there.
If enabled, the agent can run scheduled briefings or reviews without a direct chat request each time.
The skill includes templates for recurring OpenClaw cron jobs. The comments repeatedly state they are opt-in and not auto-installed, but enabling them creates scheduled autonomous agent sessions.
openclaw cron add \ --name "ai-persona-morning-briefing" \ --cron "0 8 * * *" \ --session isolated
Only enable cron jobs if you want recurring autonomous behavior, and keep track of how to list, modify, or remove those jobs.
If Discord or Slack tokens are provided, the agent may be able to read or send messages depending on the token scopes and connected tools.
The skill declares optional messaging-platform credentials for team/channel integration. This fits the assistant/team workflow purpose, but those tokens can grant communication access if configured.
optionalEnv:["DISCORD_TOKEN","SLACK_TOKEN"]
Use least-privilege bot tokens, restrict channel access, and require explicit confirmation before sending messages or sharing sensitive information.