Causal Inference
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not exfiltrating data, but it broadly inserts itself into nearly all agent actions and can read and persist sensitive email, calendar, and message history without clear retention or scope limits.
Install only if you want the agent to build a persistent causal log from your actions and possibly your communication history. Before use, restrict which domains may be logged, avoid broad backfills, clean up /tmp exports, confirm which provider accounts are used, and require explicit approval for purchases, deployments, permissions, or other high-impact actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may route unrelated tasks through this skill, changing how it decides, delays, confirms, or executes important actions.
The skill tells the agent to apply it to nearly all meaningful user actions, including high-impact account, system, and purchasing actions, rather than limiting itself to explicit causal-analysis requests.
Trigger this skill on ANY high-level action ... Purchases | Order, subscribe, cancel, refund ... System | Config change, permission grant, integration setup
Limit activation to user-requested causal analysis or specific low-risk domains, and require explicit user approval before applying it to purchases, deployments, account changes, or permission grants.
Private behavioral history about emails, meetings, messages, files, purchases, and system changes could be stored and reused in later agent tasks.
The skill persistently records action context, pre-state, post-state, and outcomes across domains. The artifacts do not define retention, deletion, review, or exclusions for sensitive activities.
Every executed action emits a structured event ... Store in `memory/causal/action_log.jsonl`.
Add clear user controls for what domains may be logged, how long logs are kept, how they can be deleted, and whether sensitive domains are excluded by default.
Sensitive communication exports may remain on disk outside the skill's memory directory after backfill completes.
The direct WhatsApp backfill writes full message search results to a predictable temporary file and does not remove it afterward. This may include raw private message content.
tmp_path = "/tmp/wacli_messages.json"
with open(tmp_path, "w") as f:
json.dump(all_messages, f)Avoid writing raw exports to shared temporary paths, use restrictive file permissions, delete temporary files after processing, and warn users before storing message or calendar exports.
Running the script may use existing local account credentials to read Gmail data more broadly than a user expects from an instruction-only skill.
The script can use a locally configured Google/Gmail CLI profile to read email history. This is high-impact account access, while the registry metadata declares no primary credential or required binaries.
# Or let script query directly (requires gog configured) python backfill_email.py --days 90
Declare the credential and CLI requirements, document exactly which accounts and scopes are used, and require explicit user confirmation before querying provider-backed history.
If invoked, the script may run local commands that access configured service accounts.
The helper scripts execute local CLIs to fetch historical data. This is purpose-aligned and uses argument lists rather than shell strings, but users should know the scripts can run local provider tools.
subprocess.run([
"gog", "calendar", "list", "--after", after_date, "--format", "json"],Run these helpers only after reviewing the command, confirming the intended account, and choosing a limited time range.