Agent Core
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is mostly a pointer to an external paid agent kit and advertises persistent 24/7 automation, memory, and account-facing workflows without providing the actual controls or files for review.
Review this as a promotional stub, not a complete reviewed skill. Before using the external Agent Core kit, inspect all downloaded files, cron jobs, memory paths, account integrations, and safety rules; avoid granting email, calendar, deployment, trading, or messaging access until you have confirmed scope, approvals, and a clear way to disable or remove the automation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this skill alone does not give you the described functionality, and following the external link could lead you to apply unreviewed agent configs or automation templates.
The reviewed package does not contain the advertised kit; users are directed to an external paid download whose files and provenance are outside this scan.
**$39** — Full kit with all configs, templates, patterns, and quickstart guide. 👉 **https://clawkits.gumroad.com/l/agent-core**
Do not treat the external kit as reviewed by this scan. Inspect any downloaded configs, scripts, cron jobs, and permissions before using them.
A user who applies the external patterns could end up with an agent that keeps operating or checking in beyond a single requested task.
The artifact advertises autonomous, persistent behavior, but the reviewed materials do not show clear stop conditions, user controls, containment, or cleanup guidance.
Memory that persists across sessions. Heartbeats that check in without being asked.
Require explicit opt-in for scheduled/background behavior, document how to disable it, and review any cron or heartbeat templates before installation.
Private or incorrect information could be stored and reused across sessions if the external memory system is applied without clear controls.
The skill advertises persistent memory and consolidation, but the artifact does not define what data is stored, where it is stored, how long it is retained, or how it is protected from poisoning or over-trust.
**3-layer memory system** — daily logs, topic memory, long-term curated memory with nightly consolidation
Only enable persistent memory with clear storage locations, retention rules, exclusions for sensitive data, and a way to inspect, edit, and delete memories.
If users follow the external kit, an agent may need delegated access to accounts or systems where mistakes can send messages, change deployments, or affect financial activity.
The described use cases imply access to user accounts and high-impact systems, but the registry declares no credentials or config requirements and the artifact provides no scope or approval model.
handling emails, calendars, deployments, trading, and creative work 24/7
Use least-privilege accounts, require human approval for deployments/trading or outbound messages, and verify exactly which credentials or sessions the external kit expects.
Users may over-trust the external system for sensitive automation based on claims that are not supported by the reviewed package.
The artifact makes strong safety and reliability claims, but the actual safety rules and implementation are not included for verification.
Safety rules that prevent disasters... Zero data loss from memory consolidation... No runaway loops or destructive operations
Treat these claims as marketing until the actual rules, scripts, and workflows are reviewed and tested in a safe environment.