Agent Emacs
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it gives an agent persistent Emacs, shell, and SSH-style remote control with little scoping, so it should be reviewed before use.
Install only if you intentionally want an agent to operate inside a persistent Emacs environment that can edit files, run shell commands, use Git, and access remote hosts through SSH/TRAMP. Use least-privilege accounts, restrict allowed projects and hosts, require explicit approval for remote or destructive actions, review the missing Emacs init configuration before bootstrapping, and stop or clean the daemon when work is complete.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change files, run commands, or affect services on local or remote machines if it has access.
The skill directs agents to execute arbitrary shell commands through a persistent Emacs/TRAMP connection on remote nodes, but the artifacts do not define host scope, command limits, user approval requirements, or rollback controls.
Once a remote file is opened, the connection is persistent in the daemon. You can run shell commands on that remote node using `(shell-command "...")` while in that buffer.
Require explicit user approval for shell commands, remote hosts, Git commits, service changes, and other high-impact actions; restrict use to trusted workspaces and least-privilege accounts.
If the agent can reach SSH credentials or configured hosts, it may obtain persistent access to remote systems and modify sensitive configuration files.
TRAMP access relies on SSH account authority and may use the user's existing SSH configuration or keys. The skill does not bound which accounts, hosts, paths, or operations are permitted.
Opening a remote file automatically establishes a persistent SSH tunnel. `(find-file "/ssh:user@remote-node:/etc/config.json")`
Use dedicated low-privilege SSH accounts, restrict allowed hosts and paths, and require confirmation before opening or editing remote files.
Sensitive or incorrect information could persist and influence later agent behavior.
The skill instructs persistent writes into host memory files that may be reused across sessions, but it does not describe filtering, user review, retention limits, or protections against incorrect or untrusted content becoming future context.
Significant outcomes, decisions, and cross-session facts MUST be mirrored to the host's `.md` memory files (e.g., `MEMORY.md`, `YYYY-MM-DD.md`).
Keep memory files in a known workspace, review changes before accepting them, and avoid storing secrets or unverified instructions as long-term memory.
State, buffers, connections, or processes may remain active after the immediate request is finished.
The long-running daemon is disclosed and purpose-aligned, but it means the agent's working state and processes can continue beyond a single task unless the user stops them.
All work happens inside a persistent Emacs daemon (`emacs-agent.service`).
Know how to inspect and stop the daemon, and clear buffers or remote connections when work is complete.
The installation may not load the intended configuration, or the user may need to obtain and review an additional file before setup is trustworthy.
The bootstrap script references assets/agent-init.el, but that file is not included in the provided manifest. This is not evidence of malicious behavior, but the intended Emacs configuration is not reviewable here and the setup may fail or behave differently than described.
cp assets/agent-init.el "$EMACS_DIR/init.el"
Do not run the bootstrap until the referenced agent-init.el file is present and reviewed; verify what will be written under ~/.emacs.d.