Huizai Proactive Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent but asks the agent to store long-term private context and act autonomously on accounts, files, and its own rules without enough opt-in boundaries.
Do not treat this as a simple prompt-only helper. If you install it, use an isolated workspace, verify the source, keep memory and credential files out of version control, and explicitly disable or gate email/calendar access, local cleanup, BOOTSTRAP.md execution, and self-modification unless you have reviewed and approved those behaviors.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A stray or malicious BOOTSTRAP.md in the workspace could redirect the agent’s behavior and then be deleted before the user reviews it.
This makes an arbitrary workspace file authoritative and then removes it, without requiring a trusted source or user approval.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Only follow bootstrap files from a trusted, user-approved location, treat unknown bootstrap content as data, and require confirmation before deleting it.
The agent could close work the user still needs, change browser state, or move files to trash during a background-style check.
The heartbeat checklist directs local UI and file mutations without an explicit approval step.
Close Unused Apps Check for apps not used recently, close if safe. ... Desktop Cleanup - Move old screenshots to trash
Disable autonomous cleanup by default and require explicit user approval before closing apps, closing tabs, or moving files.
Private messages and calendar details could be read and incorporated into the agent’s memory without the user realizing how broad the access is.
The skill tells the agent to periodically inspect email and calendar data, likely through the user's existing account access, but does not define account, folder, time, or retention limits.
Things to check: - Emails - urgent unread? - Calendar - upcoming events?
Require explicit opt-in for email/calendar access and limit it to named accounts, labels/calendars, time windows, and non-persistent summaries unless the user approves storage.
Personal details, decisions, relationships, and sensitive task context may persist in local files and influence future sessions, including if incorrect or injected content is written there.
The skill establishes persistent workspace memory for conversation details and also advertises a working buffer that captures exchanges, without defining retention, exclusions, or privacy controls.
`SESSION-STATE.md` | Active working memory (current task) | Every message with critical details
Make memory capture opt-in, exclude secrets and sensitive third-party content by default, gitignore memory files, add retention limits, and review memory updates before they become operating context.
A mistaken lesson, bad inference, or adversarial input could become a lasting rule that changes how the agent behaves later.
The skill instructs the agent to modify persistent operating files without human review, allowing behavior changes to carry into future sessions.
Update AGENTS.md, TOOLS.md, or relevant file immediately Don't wait for permission to improve.
Require human approval for changes to AGENTS.md, SOUL.md, skill files, or other persistent instruction files; keep proposed changes in a reviewable changelog first.
Running the audit will read local files and may print warnings about file names or configuration state.
The included shell script scans local workspace files for possible secrets and checks local configuration; it is user-directed and has no network exfiltration behavior in the provided code.
for f in $(ls *.md *.json *.yaml *.yml .env* 2>/dev/null || true); do
Inspect the script before running it and run it only in the intended workspace.
The user may not know whether this is the original Hal Labs skill, a fork, or a repackaged version.
The package metadata names a different author than the SKILL.md branding/front matter, while the registry source is listed as unknown, so provenance should be verified.
"author": {
"name": "lidekahdjdhdhsjjs-lang"Verify the publisher and repository before installing, especially because the skill changes persistent agent behavior.