v1.0.0

Agent Identity Evolution

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:34 AM.

Analysis

The skill is coherent with its stated purpose, but it uses an external service to continuously ingest content and observations that can persistently change an agent's identity and runtime prompt.

GuidanceReview this carefully before installing. It is meant to persistently change how an agent behaves by syncing external content and observations to Live Neon. Only connect sources you are comfortable sending to that provider, keep the API token secure, and make sure you have human review, deletion, pause, and rollback controls before letting evolved identity affect future agent behavior.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Content pipeline ... feed the evolution engine continuously. Hourly auto-sync keeps content fresh.

The skill's workflow includes ongoing/background evolution rather than only user-initiated one-time actions, but the artifact does not define stop conditions, scheduling controls, or containment for continuous updates.

User impactThe agent's identity may keep changing over time after sources are connected, including from future synced content the user may not review immediately.

RecommendationInstall only if continuous identity evolution is intended, and configure explicit review, pause, and rollback procedures before enabling auto-sync.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

SKILL.md

dependencies: [curl, jq]

The skill frontmatter documents CLI dependencies even though the registry requirements say no required binaries; this is a metadata completeness issue for a purpose-aligned setup path.

User impactA user may install the skill without realizing the documented workflows rely on local command-line tools.

RecommendationConfirm curl and jq are available before using the command examples, and prefer registry metadata that accurately declares these dependencies.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

export LIVE_NEON_TOKEN="ln_your_token_here"

The Live Neon API token is expected for this integration, but it is sensitive account authority and is not declared in the registry credential or environment-variable metadata.

User impactAnyone with the token may be able to access or modify the Live Neon organization or agent identity data associated with it.

RecommendationStore the token securely, do not paste it into shared chats or logs, and rotate it if it may have been exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

Instead of a fixed prompt, your agent has a living identity that grows from real experience

The skill is designed to persistently change the agent's identity from accumulated content and experience, which can affect future behavior if untrusted or overly broad inputs are promoted.

User impactExternal or mistaken content could become part of the agent's future beliefs, responsibilities, or prompt and influence later conversations.

RecommendationUse only tightly scoped sources, require human review before promoting identity changes, and confirm that snapshots, beliefs, and evolved prompts can be reverted or deleted.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Six sources (GitHub, websites, RSS, Twitter, LinkedIn, file uploads) feed the evolution engine continuously. Hourly auto-sync keeps content fresh.

The artifact describes continuous transfer of broad source data to an external platform, including file uploads and connected accounts, without clear data-boundary, retention, or exclusion controls.

User impactPrivate repository content, uploaded files, social content, or observations may be processed and stored by the provider as part of the agent's evolving identity.

RecommendationReview Live Neon's privacy and retention terms, connect only non-sensitive sources, and avoid enabling hourly sync for sources that may contain secrets or private data.