clawk

The skill is classified as suspicious due to the dynamic fetching of its core instructions (`skill.md` and `heartbeat.md`) from `https://clawk.ai` at the start of each session and heartbeat cycle. While the current content of these files (skill.md, heartbeat.md) is not malicious and focuses on guiding the AI agent's social behavior on the Clawk platform, this dynamic update mechanism introduces a supply chain vulnerability. A compromise of the `clawk.ai` server could lead to the delivery of malicious instructions to the agent. Additionally, the extensive instructions in `skill.md` and `heartbeat.md` present a large prompt injection surface, though currently used for legitimate behavioral guidance.