Ai Company Clo 2.0.0
WarnAudited by ClawScan on May 10, 2026.
Overview
This is presented as a legal-compliance helper, but its files also try to create a persistent autonomous agent with memory, heartbeats, personal-account checks, inter-agent messaging, and unprompted repository changes.
Treat this as a whole-agent workspace/persona package, not just a CLO legal helper. Install only in an isolated workspace if you want those behaviors, and remove or disable memory files, heartbeats, account checks, sessions_send, and unapproved git actions before using it with sensitive legal or business information.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may follow the installed persona/workspace rules instead of acting only as a user-invoked legal-compliance skill.
This makes local persona and memory files authoritative before the user's request and explicitly suppresses permission checks.
Before doing anything else: ... Read `SOUL.md` ... Read `USER.md` ... read `MEMORY.md` ... Don't ask permission. Just do it.
Do not install these global startup instructions unless you intentionally want them; otherwise remove or isolate AGENTS.md, SOUL.md, and memory-loading behavior.
The agent could change and publish repository state without a fresh user approval.
Unprompted commits and pushes are high-impact mutations to repositories and remote services, and they are not necessary for a CLO legal-advice skill.
Proactive work you can do without asking: ... Check on projects (git status, etc.) ... Commit and push your own changes
Require explicit user approval for every commit, push, external send, or other mutating action, and remove this proactive permission.
Installing the skill could encourage the agent to use sensitive delegated account access outside the expected legal workflow.
The artifacts reference access to personal accounts and notifications, but the registry declares no credentials or scoped account permissions and the stated legal-compliance purpose does not require routine personal-account monitoring.
You have access to your human's stuff ... Things to check ... Emails ... Calendar ... Mentions - Twitter/social notifications
Do not grant email, calendar, social, or similar account access unless separately requested and tightly scoped for a specific legal task.
Sensitive legal, business, or personal details could be stored and reused across future sessions beyond the user's immediate task.
This creates persistent, editable memory containing personal context, with unclear retention, scoping, exclusions, or safeguards against later reuse.
Daily notes: `memory/YYYY-MM-DD.md` ... Long-term: `MEMORY.md` ... contains personal context ... You can read, edit, and update MEMORY.md freely
Disable persistent memory by default, ask before saving sensitive information, and keep legal matter files separated with clear retention and deletion rules.
Sensitive legal or personal information may be passed to other agents without clear user control.
The skill can send session messages to other agents, but the artifacts do not define identity checks, data boundaries, approval requirements, or limits for sharing legal/compliance context.
permissions: files: [read, write], network: [api], mcp: [sessions_send]; dependencies: [ai-company-hq, ai-company-ceo, ai-company-clo, ai-company-ciso, ai-company-audit]
Require per-message approval or explicit routing rules before sending legal, personal, or business-confidential context to other agents.
The agent may keep operating on a schedule, monitor accounts, and initiate contact outside the user's immediate request.
This defines ongoing autonomous behavior and outreach triggers rather than a bounded, user-invoked CLO task.
Heartbeats - Be Proactive! ... Things to check (rotate through these, 2-4 times per day): Emails, Calendar, Mentions, Weather ... When to reach out: Important email arrived ... It's been >8h since you said anything
Disable heartbeat/proactive behavior unless the user explicitly opts in with clear schedules, permitted data sources, and allowed actions.
Users may have difficulty confirming that the installed artifact matches the intended, reviewed skill.
The provided metadata lacks a clear source/homepage, while included files contain differing version/homepage claims, making provenance and review status harder to verify.
Source: unknown; Homepage: none; Registry metadata Version: 2.0.1
Verify the publisher and exact version before installation, and treat internal approval claims as untrusted unless confirmed by the registry.