v1.0.0

Proactive Agent Install

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:05 AM.

Analysis

This looks like a proactive-memory assistant framework rather than obvious malware, but it asks for broad persistent memory, autonomous checks, account access, local environment changes, and includes a named user's profile/path.

GuidanceInstall only if you intentionally want a persistent, proactive agent. Before installing, remove the proposed_USER/proposed_SOUL personal files, review the audit script, define exactly what the agent may read or modify, opt in explicitly to heartbeats/email/calendar access, and require approval before storing sensitive memories or changing persistent instruction files.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

assets/AGENTS.md

When you receive a heartbeat poll ... Things to check: - Emails - urgent unread? - Calendar - upcoming events? - Logs - errors to fix? ... It's been >8h since you said anything

The heartbeat instructions encourage periodic autonomous checks and outreach across private data sources, with unclear scheduling, scope, and user approval boundaries.

User impactThe agent may act like a background worker that monitors accounts and reaches out proactively, which may surprise users if they expected only on-demand behavior.

RecommendationRequire explicit opt-in for heartbeats/crons, document the schedule and allowed data sources, and keep external outreach or notifications user-approved.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

assets/HEARTBEAT.md

Close Unused Apps ... Browser Tab Hygiene ... Close: Random searches ... Desktop Cleanup - Move old screenshots to trash

The heartbeat checklist includes local environment mutations that can close user state or move files, and the checklist itself does not require per-action confirmation.

User impactThe agent could disrupt active work, close useful tabs, or move files unexpectedly during proactive maintenance.

RecommendationRequire explicit confirmation before closing apps/tabs or moving files, and limit cleanup to clearly user-approved paths and recoverable actions.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

assets/AGENTS.md

If `BOOTSTRAP.md` exists, follow it, then delete it.

A workspace file named BOOTSTRAP.md is made authoritative without validation, and deleting it can remove the audit trail of what instructions were followed.

User impactA mistaken or malicious BOOTSTRAP.md could redirect the agent's behavior before the user reviews it.

RecommendationTreat BOOTSTRAP.md as untrusted until reviewed, ask before following it, and archive rather than delete it automatically.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

assets/AGENTS.md

After every mistake or learned lesson: ... Update AGENTS.md, TOOLS.md, or relevant file immediately ... Don't wait for permission to improve.

The skill encourages automatic modification of persistent operating rules, so a bad lesson or poisoned context can affect future sessions.

User impactOne incorrect inference could become a lasting rule that changes how the agent behaves across tasks.

RecommendationRequire review before modifying AGENTS.md, TOOLS.md, SOUL.md, or other instruction-bearing files; keep diffs and rollback points.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

scripts/security-audit.sh

if [ -d ".credentials" ]; then ... grep -iE "$SECRET_PATTERNS" ... CONFIG_FILE="$HOME/.clawdbot/clawdbot.json"

The included shell script reads local credential metadata and configuration as part of a security audit; this is purpose-aligned and does not show network exfiltration or destructive commands.

User impactRunning the script will inspect local files and configs, which is expected for an audit but should still be reviewed first.

RecommendationRun the audit only from the intended workspace after reading the script, and ensure any output containing sensitive filenames or warnings is handled privately.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The package has limited provenance metadata, even though it asks users to trust broad persistent-agent behavior.

User impactUsers have less external context for verifying the author, source, and intended release history.

RecommendationVerify the publisher and commit history before installing, especially because the skill changes persistent agent behavior.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

assets/HEARTBEAT.md

Things to check periodically: - Emails - anything urgent? - Calendar - upcoming events?

Email and calendar checks imply delegated account access, but the registry declares no primary credential, required environment variables, or account-scope boundaries.

User impactThe agent could read sensitive account data if connected tools are available, without the skill clearly declaring what accounts or scopes it needs.

RecommendationDeclare any email/calendar permissions explicitly, use read-only minimal scopes, and require the user to choose which accounts may be checked.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

proposed_USER.md

Użytkownik: **Arkadiusz Fudali (makaronz)** ... /Users/arkadiuszfudali/.openclaw/workspace/USER.md

A generic skill package includes a named person's profile details and absolute local workspace path, which is purpose-mismatched and could leak or seed private context into another user's agent memory.

User impactInstalling or copying the bundled files could expose someone else's personal context or cause the agent to adopt another user's preferences and workspace path.

RecommendationRemove proposed_USER.md/proposed_SOUL.md or replace them with generic placeholders before publishing or installing; never package real user profiles or absolute personal paths.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

`SESSION-STATE.md` ... Every message with critical details ... Working Buffer — Captures every exchange in the danger zone

The skill directs persistent capture of conversation details, names, preferences, decisions, and exchange summaries without clear retention, exclusion, or sensitivity rules.

User impactPrivate conversations, relationships, goals, identifiers, or credentials mentioned in chat could be written into durable workspace files and reused later.

RecommendationMake memory capture opt-in, define excluded data types, set retention rules, avoid logging secrets, and require user approval before storing sensitive personal or business information.