Pa Onboarding
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed, the assistant may gain access to business workspace data, email, Drive, contacts, and calendar operations.
The guide asks the user to grant service access and store a monday.com API token locally. This is expected for a PA integration, but it gives the assistant meaningful account authority.
Generate API token ... `echo "YOUR_TOKEN" > ~/.credentials/monday-api-token.txt` ... `gog auth add owner@company.com --services gmail,drive,contacts`
Grant only the services the PA truly needs, prefer least-privilege service accounts where possible, and protect token files with appropriate local permissions.
The PA could take delegated actions or contact people without an extra confirmation step when it believes the request is clear.
The skill teaches the PA to act on inferred task intent and message third parties. This fits a personal-assistant purpose, but users should constrain high-impact actions.
Never ask the owner "did you mean X?" if the answer is inferable — execute and let them correct ... When owner asks to check on someone: contact that person
Define explicit rules for what actions require confirmation, especially calendar changes, external messages, purchases, workspace edits, or sensitive communications.
If enabled, the assistant may regularly read and summarize calendar, email, and task information without a fresh prompt each time.
The guide includes optional recurring automation that continues after onboarding. It is disclosed and purpose-aligned, but it is persistent behavior.
Schedule Morning Briefing (Optional) - Cron job at 07:30 owner's timezone, Monday–Friday. - Sends: meetings, urgent emails, open tasks.
Enable recurring jobs only with clear user consent, document how to disable them, and limit the data sources included in the briefing.
Private owner preferences and autonomy rules may persist and influence future assistant behavior.
SOUL.md and feedback/lesson logging are persistent behavioral context for the PA. This is useful for onboarding, but it can contain sensitive preferences and authorization rules.
Configure SOUL.md ... Owner's name and communication style ... What to act on autonomously vs. what requires permission ... Topics to proactively monitor.
Keep SOUL.md concise, review it periodically, restrict write access, and avoid storing secrets or overly broad autonomous-action instructions in it.