Skillv1.0.0

ClawScan security

Agent Autonomy Kit.Bak · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 12:07 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated goal (make agents run continuously and coordinate via a task queue), but it instructs automated background operation and external team communication without declaring or constraining credentials — this combination raises privacy/exfiltration and autonomy risks you should review before enabling.
Guidance: This kit is coherent for turning an agent into a continuously-running worker, but it introduces real operational risks: scheduled heartbeats and cron jobs will let the agent act and post to team channels without human prompts, and the skill assumes existing credentials (Discord/Slack, OpenClaw CLI) that could be used to transmit data. Before installing: (1) restrict the bot/channel credentials the agent will use (least privilege), (2) audit what kinds of files and memory the agent will read/write (avoid exposing secrets), (3) limit heartbeat frequency and token budgets, (4) test in an isolated environment or with limited-scope tokens, and (5) add monitoring/alerts for automated posts or unexpected activity. If you cannot limit credentials or audit what the agent will access, avoid enabling full autonomous cron-driven operation.

Review Dimensions

Purpose & Capability: noteThe name/description (proactive, continuous agent work) align with the SKILL.md and README: task queue, heartbeat, cron jobs, and team coordination are exactly what you'd expect. The skill doesn't request unrelated binaries or secrets.
Instruction Scope: concernRuntime instructions tell the agent to read/write local task and memory files, update HEARTBEAT.md, and set up cron jobs to run automatically (openclaw cron add). They also direct posting to external team channels (Discord/Slack). Those actions fall inside the purpose, but they enable autonomous, recurring operations and external communications that could transmit sensitive content if not carefully scoped.
Install Mechanism: okInstruction-only skill with no install spec or code files — low disk footprint and no third-party downloads. This reduces supply-chain risk.
Credentials: concernThe skill does not declare any required environment variables, yet its instructions assume the ability to post to Discord/Slack and to run openclaw cron commands. Those operations require credentials or platform permissions in practice; the lack of declared env vars means the agent may use existing platform credentials with whatever scope they have (potentially over-broad).
Persistence & Privilege: concernThe skill recommends creating cron jobs and frequent heartbeats that run without human prompts. While the skill itself isn't always:true, following its guidance grants long-lived autonomous behavior and automated external posting — increasing blast radius if the agent has access to sensitive data or broad channel permissions.