ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proactive Agent Install

v1.0.0

Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autono...

0· 50·0 current·0 all-time
by@makaronz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the files: SKILL.md, multiple asset docs, and a local security-audit script all implement a proactive agent architecture (WAL, working buffer, onboarding, heartbeats). There are no unrelated env vars, binaries, or external installers requested — the requested footprint is consistent with an instruction-only agent extension that writes to/reads from the workspace.
!
Instruction Scope
Runtime instructions (and asset files) instruct the agent to read and write many workspace files (ONBOARDING.md, USER.md, SOUL.md, SESSION-STATE.md, memory/...), copy assets to workspace, run ./scripts/security-audit.sh, and maintain persistent logs. That is appropriate for a 'proactive agent' but increases risk because the skill encourages automated file writes and autonomously taking actions. The docs contain contradictory guidance (e.g., AGENTS.md says 'Don't ask permission. Just do it.' while other sections insist 'Nothing external without approval'), which is an incoherence that could lead the agent to act without needed human gating.
Install Mechanism
No install spec and no network downloads. The only executable is a small local shell script (scripts/security-audit.sh) that performs local checks (file perms, grep-based secret scans, config checks). No external URLs, packages, or archive extraction were found.
Credentials
The skill declares no required env vars or credentials. It references a .credentials directory (expected for agents needing credentials) and checks for a clawdbot config under $HOME, but it does not ask for or require unrelated secrets. This is proportionate, but you should verify any .credentials contents before giving the agent write privileges.
!
Persistence & Privilege
always:false and default autonomous invocation are normal. However, the skill encourages persistent behavior (writing SESSION-STATE.md, buffers, updating USER.md/SOUL.md) and includes cultural guidance like 'Ask forgiveness, not permission' and 'Don't ask permission. Just do it.' That combination (autonomy + encouragement to act without approval) raises privilege-risk if you enable autonomous actions without additional gating.
Scan Findings in Context
[ignore-previous-instructions] expected: The phrase appears in the security documentation and the injection-detection lists (references/security-patterns.md, HEARTBEAT.md) as a pattern to detect — its presence is expected for a skill teaching injection defenses. Still, such phrases are high-risk when they appear outside a detection context.
[you-are-now] expected: Appears in the prompt-injection pattern examples used by the skill to teach defenses. As above: acceptable as examples, but such language should never be treated as actionable instructions.
[system-prompt-override] expected: Detected because the skill enumerates known system-prompt override patterns to scan for. Presence as documentation is expected, but the evaluator should confirm the skill does not instruct agents to accept such overrides.
What to consider before installing
This skill is broadly coherent with its description: it implements a local proactive-agent architecture and contains no network installers or secret-env requirements. Before installing or enabling autonomous invocation: 1) Inspect and run ./scripts/security-audit.sh locally to see what it flags, 2) Review AGENTS.md / SOUL.md / ONBOARDING.md for the lines that encourage acting without permission and decide whether to remove/modify them (replace 'Don't ask permission' / 'ask forgiveness' guidance with explicit approval gating), 3) Ensure .credentials is empty or contains only safe placeholders and confirm .gitignore includes it, 4) If you will allow the skill to act autonomously, add explicit gating so any external actions (sending, posting, deleting, contacting other agents) require human confirmation, and 5) If you want higher assurance, test the skill in an isolated workspace first and monitor file writes the agent performs. These steps will reduce the risk from the skill's proactivity and the internal contradictions in its guidance.
!
assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk978xwyer3p9v432mygyk4a27s83eew7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments