04 Agent Stack Audit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This audit skill is coherent, but it asks for broad access to local automations, API/subscription information, and project memory, and it includes an exception that could modify scripts without clearly requiring approval.
Install only if you are comfortable giving the agent broad visibility into your automation stack. Before running it, define exact directories, credential inventories, accounts, and memory files that are in scope; require masked secrets in reports; and do not allow any cleanup or script edits without an explicit approval and backup.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A script could be changed in a way that breaks an automation or removes functionality the user still needed.
This authorizes modifying user scripts as an exception to the recommend-only workflow, but it does not clearly require explicit user approval before editing code.
One exception: If a script references a dead API that has been confirmed cancelled → safe to comment out the call and log it. Don't delete the file.
Require explicit user approval, a visible diff, and a backup before any script is edited, even if the API appears dead or cancelled.
API keys, account names, billing details, or subscription information could be exposed to the agent or included in reports if not carefully limited.
The skill expects access to API key inventory and subscription/billing-related information, but the artifacts do not define which credential stores, accounts, or scopes are in bounds.
Cross-reference your API inventory against actual script usage: - Any API key configured but never called in the last 30 days? - Any paid subscription that maps to zero active script usage?
Use read-only inventories where possible, mask secret values, avoid giving raw API keys unless necessary, and explicitly list which accounts and providers may be audited.
Private project context could be surfaced in audit reports, and stale or poisoned memory could influence cleanup recommendations.
The skill directs the agent to read persistent project memory and context files, but it does not bound paths, exclusions, redaction, retention, or how those contents should be trusted.
Review project memory and context files: - Any project memory not updated in 30+ days? - Projects marked "on hold" for 60+ days with no activity? - Contradictions between your main context file and individual project files?
Restrict the audit to specific memory directories, redact sensitive content from reports, and treat memory/context files as untrusted evidence that needs user confirmation.
If a user or agent separately schedules it, the recurring audit could repeatedly inspect local automations and sensitive context.
The skill recommends recurring use, but the provided artifacts do not install a scheduler or background process.
Scheduled: First Monday of every month, 05:00 local time. Quick scan: Every Sunday (cron health only — 5 min).
Only create recurring runs intentionally, keep them read-only by default, and review reports before allowing cleanup actions.