My Proactive Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent and not obviously malicious, but it asks the agent to keep broad persistent memory and proactively access private/local data with unclear scope and approvals.
Install only if you want a highly proactive, memory-heavy agent. Before enabling it, restrict which folders and accounts it can access, require approval for email/calendar connections and cleanup actions, review any memory files it writes, and disable automatic BOOTSTRAP.md following or self-modification unless you can audit the changes.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Personal and work details may be saved and reused across sessions even when the user did not explicitly ask to store them.
The skill tells the agent to persist details from user messages, including names, preferences, decisions, values, and URLs, into workspace memory before responding.
Trigger — SCAN EVERY MESSAGE FOR ... Proper nouns ... Preferences ... Decisions ... If ANY of these appear: ... WRITE — Update SESSION-STATE.md
Use opt-in memory rules, define sensitive-data exclusions, add retention/deletion controls, and show users what will be written before storing high-sensitivity details.
If enabled, the agent could read sensitive email or calendar information without a clear credential contract or read scope.
Email and calendar monitoring requires access to private account data, but the registry metadata declares no credentials, environment variables, or scoped account permissions.
Things to check periodically: - Emails - anything urgent? - Calendar - upcoming events?
Require explicit user opt-in for each connected account, use read-only least-privilege credentials, and document exactly what account data may be accessed.
The agent could disrupt active work or remove files/tabs during background-style checks.
The heartbeat checklist includes local state-changing actions such as closing apps/tabs and trashing desktop files, but does not clearly require approval at the point of action.
Close Unused Apps ... Browser Tab Hygiene ... Close: Random searches, one-off pages ... Desktop Cleanup - Move old screenshots to trash
Make cleanup actions preview-only by default and require explicit approval before closing apps, closing browser tabs, moving files, or changing the desktop.
Agent behavior can drift over time as it rewrites its own instructions and keeps operating between direct user tasks.
The skill encourages recurring autonomous heartbeat state and persistent self-updates to the agent's operating files without requiring user review.
Track state in: `memory/heartbeat-state.json` ... Update AGENTS.md, TOOLS.md, or relevant file immediately ... Don't wait for permission to improve.
Require review for changes to AGENTS.md, TOOLS.md, SOUL.md, skill files, and heartbeat rules; keep a changelog and provide an easy rollback path.
A malicious or accidental BOOTSTRAP.md in a workspace could cause the agent to take unintended actions and erase the evidence afterward.
An arbitrary local BOOTSTRAP.md file is treated as authoritative instructions and then removed, which can make untrusted workspace text redirect the agent.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Only follow bootstrap files after user confirmation, record their contents/provenance, and do not delete them automatically.
Users have less assurance that the reviewed package identity matches the registry listing they intended to install.
The packaged metadata differs from the registry metadata shown for the evaluated skill, which lists slug `my-proactive-agent` and version `1.0.0`; the source is also unknown.
"slug": "proactive-agent", "version": "3.1.0"
Verify the publisher, slug, version, and package provenance before installing, especially because the skill grants broad autonomous behavior.
Running the script will inspect local files such as credential directories, gitignore files, and Clawdbot configuration.
The skill includes a user-run shell script; the provided script appears to perform local security checks and does not show exfiltration, but it is still executable code.
Run security audit: `./scripts/security-audit.sh`
Read the script before running it and execute it only in the intended workspace with normal user privileges.