Proactive Agent
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is a coherent proactive-memory framework, but it gives the agent broad autonomous, persistent, and account-monitoring authority that needs careful review before use.
Install only if you want a persistent proactive agent and are comfortable configuring strong boundaries. Before use, restrict which folders and accounts it can access, disable or tightly scope heartbeats, require approval for BOOTSTRAP.md, deletions, external actions, and self-modifications, and keep memory/credential files private and out of version control.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidental BOOTSTRAP.md in the workspace could redirect the agent’s behavior and then be deleted, making the change harder to inspect afterward.
This makes a local file an authoritative instruction source and then removes it, without provenance checks or user confirmation.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Require the agent to show BOOTSTRAP.md contents, confirm the file was user-created, get approval before following it, and avoid auto-deleting it without explicit permission.
The agent may read or reorganize more of the workspace than the user intended, including private or sensitive local files.
The instruction grants broad local exploration and organization authority without clearly bounding paths, file types, or review requirements.
Don't ask permission. Just do it. ... Do freely: Read files, explore, organize, learn
Define allowed directories and actions, require confirmation for file organization or mutation, and keep sensitive folders excluded by default.
If connected to mail or calendar tools, the agent could inspect sensitive personal or business information during proactive checks.
Email and calendar access can expose private account data, but the skill metadata declares no required credentials, scopes, or account boundaries.
Things to check: - Emails - urgent unread? - Calendar - upcoming events?
Use read-only integrations where possible, explicitly configure which accounts/calendars may be checked, and require approval before any send, invite, or account mutation.
Private conversation details may be stored in workspace files and reused across sessions without a clear retention, exclusion, or consent process.
The skill instructs the agent to persist names, preferences, decisions, values, URLs, and other details from user messages before responding.
`SESSION-STATE.md` | Active working memory (current task) | Every message with critical details ... SCAN EVERY MESSAGE FOR ... Proper nouns ... Specific values ... WRITE — Update SESSION-STATE.md
Tell users exactly what is stored, keep memory files private and gitignored, add an easy opt-out/redaction process, and avoid storing secrets or sensitive third-party information.
Mistakes, bad assumptions, or indirectly influenced lessons could become durable instructions that affect future sessions.
Persistent operating rules and even skill files can be changed by the agent without a user-reviewed diff or rollback process.
Learn a lesson → update AGENTS.md, TOOLS.md, or skill file ... Don't wait for permission to improve.
Require user approval for changes to AGENTS.md, SOUL.md, TOOLS.md, and skill files; keep version history; and review diffs before accepting self-improvements.
The agent may continue checking, building, or prompting during background heartbeats unless the user sets explicit limits.
The skill is designed for periodic autonomous activity and proactive work outside a direct user request.
> Configure your agent to poll this during heartbeats. ... What could I build RIGHT NOW that would make my human say 'I didn't ask for that but it's amazing'?
Enable heartbeats only intentionally, define frequency and allowed actions, and require approval before any external, public, irreversible, or account-changing action.
Users have less external context for deciding whether to trust a high-authority proactive agent framework.
The package has limited provenance information, and the included _meta.json owner/slug differs from the registry metadata.
Source: unknown; Homepage: none
Verify the publisher, compare the package contents with a trusted source if available, and review all files before enabling autonomous behavior.
Running the script will inspect local workspace files and Clawdbot configuration, but the artifact does not show network transmission or destructive commands.
The package includes a shell script that reads local files and configuration for audit checks; this is disclosed and appears purpose-aligned.
#!/bin/bash ... grep -iE "$SECRET_PATTERNS" ... CONFIG_FILE="$HOME/.clawdbot/clawdbot.json"
Run the script manually only after reviewing it, from the intended workspace, and avoid running it with elevated privileges.