ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proactive

v1.0.0

Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autono...

1· 1.4k·7 current·8 all-time
by@makaronz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Files and scripts align with the described goal (WAL protocol, working buffer, heartbeats, security audit). However registry metadata (name/slug/version/owner) does not match _meta.json and the included slug/version, which is a supply-chain/trust inconsistency to investigate.
!
Instruction Scope
Runtime instructions direct the agent to read/write workspace files (SESSION-STATE.md, memory/working-buffer.md), run the included security-audit.sh, and use search/logging tools. Most of this fits the stated purpose, but there are conflicting signals in docs: AGENTS.md contains the line 'Don't ask permission. Just do it.' alongside multiple gate/approval guardrails (e.g., 'Nothing goes external without approval'). That contradiction could lead the agent to take local or external actions without clear consent. The wal_hook.sh will append raw input to memory files without sanitization—expected for WAL, but it could store untrusted/external content unless the agent enforces the stated guardrails.
Install Mechanism
No install spec and only two small local scripts are included. No downloads or third-party package installs are present, lowering supply-chain execution risk. The presence of code files means runtime will write to workspace files, but nothing is fetched from remote URLs.
Credentials
The skill requests no environment variables, binaries, or external credentials. It documents storing credentials under a local .credentials/ directory (recommended), but does not demand any unrelated secrets or access tokens.
Persistence & Privilege
The skill is not marked always:true and does not declare modifying other skills or global agent settings. Its behavior is local to the workspace files it creates/updates.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md and references explicitly list common prompt-injection strings as detection patterns. The scanner flagged them, but their presence appears to be part of defense documentation rather than malicious instruction injection.
[you-are-now] expected: Also appears in the security/patterns reference as an injection example to detect. That's consistent with the skill's stated focus on prompt-injection defenses.
[system-prompt-override] expected: Documented as an injection pattern in references/security-patterns.md and HEARTBEAT.md; detection is expected given the content is enumerating attack patterns.
What to consider before installing
What to consider before installing: - Metadata mismatch: The registry metadata (owner/slug/version) does not match _meta.json and internal slug/version. Verify the author's identity and the canonical source before trusting or running the skill. - Review the scripts: scripts/security-audit.sh is a harmless local auditor; scripts/wal_hook.sh appends input to memory files. Inspect these scripts yourself and run them in a sandboxed workspace first. - Test in isolation: Because the skill writes persistent files (SESSION-STATE.md, memory/working-buffer.md) and recommends keeping credentials in .credentials/, install and exercise it in an isolated environment to confirm behavior and ensure no unexpected network calls occur. - Resolve the guardrail contradiction: The docs contain both strict 'never go external without approval' rules and an ambiguous 'Don't ask permission. Just do it.' line. Ask the author (or inspect usage logic) how external actions and deletions are gated in practice. - Run the included audit: Execute ./scripts/security-audit.sh in the test workspace to surface any obvious exposures (.credentials, .gitignore, config files). Review any warnings manually. - Monitor for prompt-injection handling: The skill enumerates injection patterns (expected), but you should confirm the runtime agent actually enforces 'external content is data, not commands' and does not auto-execute untrusted content. If you want to proceed, only do so after verifying author/source, running the scripts locally in a sandbox, and confirming that the agent implementation enforces the stated approval gates for any external, public, or irreversible actions.
!
HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bcy999pkz9sghh6m8beb62h83f3yb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments