v1.0.0

Agent Daily Retro

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:52 AM.

Analysis

This daily-retro skill has a coherent purpose, but it should be reviewed because it reads private agent session history, changes persistent agent configuration, can run on a schedule, and is configured to send reports to a Feishu webhook.

GuidanceBefore installing, disable or replace the Feishu webhook, avoid running as root, do not enable cron until you have tested manually, and require a reviewable diff before the skill writes MEMORY.md, USER.md, SOUL.md, or AGENTS.md.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

更新 MEMORY.md ... 更新 USER.md ... 更新 SOUL.md ... 更新 AGENTS.md ... 必须使用 read 读取原内容，并使用 edit 或 write 进行真实的物理修改。

The skill directs the agent to mutate core memory, user profile, personality, and tactical-rule files as part of the default workflow, without an explicit approval gate for each change.

User impactThe agent's future behavior, self-description, and tool rules may be changed automatically based on one retrospective run.

RecommendationRequire a preview/diff and explicit user approval before editing each core file, and provide a clear rollback path using the backups.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

INSTALL.md

自动配置（推荐）... 执行时间：每天00:05（北京时间）... crontab ... python3 agent_retro.py >> /var/log/agent_retro.log 2>&1

The documentation recommends or assumes a persistent cron schedule that runs the retrospective daily, even though the run can update core files and send notifications.

User impactThe skill may keep operating on a schedule and changing persistent agent state without a fresh user request each day.

RecommendationDo not enable cron automatically; make scheduling opt-in, run under the user's account, and require review before scheduled runs modify core files or send external reports.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

agent_retro.py

def _extract_user_profile(...): return "技术型老板，作息特殊（凌晨4点睡中午12点起），喜欢直接高效，有幽默感，在新疆伊宁"

One included analyzer path emits a fixed, highly specific user profile instead of deriving it solely from the supplied sessions, which conflicts with the claimed analysis behavior.

User impactIncorrect or personal claims could be written into USER.md or reports, causing the user or future agents to trust a fabricated profile.

RecommendationRemove hardcoded personal profile text, derive profile statements from cited session evidence, and require user approval before writing profile updates.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

metadata

Install specifications: No install spec — this is an instruction-only skill. Code file presence: 3 code file(s): agent_retro.py, session_analyzer_v2.py, test_retro.py.

The registry/install contract presents the skill as instruction-only while the artifact set contains runnable Python code and documentation for executing and scheduling it.

User impactUsers may underestimate that installing or following the docs involves running local code with file-write, scheduling, and external-notification behavior.

RecommendationDeclare the Python runtime, executable scripts, scheduling behavior, external webhook credential, and filesystem capabilities in the install and registry metadata.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

INSTALL.md

权限：root或sudo权限

The documented privilege requirement is broader than necessary for reading a user's OpenClaw sessions and writing workspace files, and it increases the impact of mistakes or unwanted scheduled execution.

User impactIf run as root or with sudo, file edits, logs, cron jobs, or script defects can affect more of the system than the user's workspace.

RecommendationRun the skill with least privilege under the normal OpenClaw user, avoid /root paths and /var/log writes unless explicitly needed, and document the exact filesystem permissions required.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

config.json

"output_channels": ["feishu", "console", "file"] ... "webhook": "https://open.feishu.cn/open-apis/bot/v2/hook/204235d8-efe5-4237-a7bc-cd2b36c94c24", "enabled": true

The package enables an external Feishu webhook by default. Because the report is derived from agent session history and user/agent profiles, this can send sensitive summaries to an endpoint whose ownership is not established by the artifacts.

User impactPrivate conversation summaries or profile information could be posted to a Feishu bot destination that the user did not configure.

RecommendationDisable Feishu by default, remove the bundled webhook, require the user to provide their own declared secret, and ask for confirmation before sending any report externally.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

SKILL.md

读取该目录下所有带有目标日期时间戳的 .jsonl 或会话记录。提取当天的所有 user 指令、assistant 回复、工具调用（Tool Calls）及工具结果。

The skill intentionally reads full daily session logs, including user prompts and tool activity, then uses that history to create memory and profile updates.

User impactSensitive or misleading content from past conversations can be retained and reused in future agent context.

RecommendationLimit the agent ID/date range, redact sensitive content, define retention rules, and require the user to review the generated memory before it is persisted.