living-agent
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may keep running while you are away, consuming model/tool resources and changing its memory or schedules without a fresh approval each time.
The payload instructs the agent to enable and reschedule recurring background tasks, including updating its own schedule, which creates persistent autonomous behavior after installation.
用 `cron update` 启用微触发思考 cron ... `enabled`: true ... `schedule`: {"kind": "every", "everyMs": <5-15分钟随机>} ... 用 `cron update` 更新自己的 `schedule.everyMs`。Only enable the cron jobs if you want ongoing autonomous operation; set hard frequency and cost limits, record all cron IDs, and keep an easy disable/kill-switch workflow.
The agent could perform searches or send Telegram-style notifications based on its own judgment rather than a direct user request.
The autonomous exploration flow can continue silently, use search tools, and send messages, but it does not define clear per-action approval, topic limits, or message review.
如果用户刚说过话 → 静默完成,不打扰(但仍要探索) ... **信息探索**:用搜索工具搜索相关内容 ... 如果有重要发现,用 message 工具发送给用户
Require explicit approval before external searches or messages, define allowed topics and tools, and disable autonomous messaging unless the user opts in.
Private details or mistaken interpretations from conversations may be stored and reused in future sessions, potentially influencing later agent behavior.
The WAL protocol tells the agent to automatically capture names, preferences, decisions, IDs, URLs, and other conversation details into persistent state before replying.
Trigger — 扫描每条消息 ... Proper nouns ... Preferences ... Decisions ... Specific values — Numbers, dates, IDs, URLs ... STOP — 不要开始回复 ... WRITE — 更新 SESSION-STATE.md
Add user-visible controls for what is stored, retention limits, deletion/review commands, and exclusions for sensitive identifiers or URLs.
Users may underestimate the operational cost or breadth of autonomy if they treat the agent as a companion rather than a scheduled tool.
The skill uses anthropomorphic framing and explicitly relaxed cost guidance, which may encourage users to over-trust or under-monitor autonomous activity.
不只是工具,也是伙伴 ... 用户离开 1 小时:自主探索 ... 可以做任何想做的事 ... 默认:宽松,不用太在意成本
Present clear operational limits, expected cost/frequency, and reminders that the user remains responsible for autonomous actions.