Openclaw Proactive Agent 3.1.0

Security checks across malware telemetry and agentic risk

Overview

This is a coherent proactive-agent skill, but it gives the agent broad persistent memory and autonomous local-environment authority that users should review before installing.

Install only if you intentionally want an agent that keeps durable memory and may initiate work. Before enabling it, restrict which files, email/calendar accounts, browser/app controls, crons, and sub-agent actions are allowed; require confirmation for cleanup, deletion, external sends/posts, and operating-rule changes; and periodically inspect or purge the memory files it creates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (29)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The heartbeat file broadens the agent from a proactive assistant into an autonomous operator over local system state, files, browser activity, notes, email, and calendar without clear scope limits or user-confirmation gates. In an agent environment, periodic autonomous instructions like these can cause privacy-invasive access and unintended actions that exceed the user's expectations for the declared skill.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: These instructions authorize the agent to close applications, manage browser tabs, and clean up desktop state during periodic execution, which is effectively workstation control. Without strong safety checks, this can disrupt active work, destroy unsaved state, or normalize agent behavior that manipulates the host environment beyond the stated purpose of a proactive partner.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The skill repeatedly frames the agent as broadly proactive and anticipatory without strong task-scoping or trigger boundaries. In an agent with tool access, this can cause over-activation in ordinary conversations, leading to unintended actions, user surprise, or increased exposure to risky workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The description promises memory that persists and compounds knowledge over time, but it does not present a clear user-facing privacy notice or consent model. This creates a real risk of collecting and retaining personal or sensitive information from normal interactions without informed consent or minimization.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The onboarding flow states that the agent auto-populates USER.md and SOUL.md from user answers and persists progress across sessions. Automatic writing of conversation-derived personal data to files without an explicit warning or consent gate is a privacy and data-governance weakness.

Vague Triggers

High

Confidence: 93% confidence
Finding: The WAL trigger scans every message for extremely common conversational patterns such as corrections, names, preferences, decisions, and specific values, then mandates an immediate write before responding. That broad trigger can be activated by ordinary conversation and can be abused to coerce excessive persistence of user data or to make the agent prioritize state mutation over safer handling.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The compaction recovery trigger includes vague conditions like 'you should know something but don't' and common phrases such as 'continue' or 'where were we?', which can occur in normal conversation. This creates an over-broad recovery path that may cause the agent to pull prior persisted content into the current context unnecessarily, increasing privacy and prompt-injection exposure.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The quick start directs automatic onboarding, answering personal questions over time, and auto-populating USER.md and SOUL.md, but does not present any retention notice, consent flow, or limits on what is stored. This encourages collection of durable user-profile data without transparency, increasing the risk of overcollection and later disclosure.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The WAL trigger says to scan every message for broad categories like corrections, names, preferences, decisions, and values, then automatically write to persistent state. This is over-broad activation guidance that can fire during ordinary conversation and cause unintended persistence of sensitive or irrelevant content.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The compaction-recovery auto-triggers include vague phrases such as 'continue' or 'where were we?' that can occur in normal conversation. This can cause the skill to invoke recovery and read memory files unexpectedly, potentially resurfacing old sensitive context when not actually needed.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The memory architecture directs ongoing writes to SESSION-STATE.md, daily logs, and MEMORY.md, but it does not clearly present this as persistent logging that may retain user data over time. Users may reveal information in normal conversation without understanding it will be stored across sessions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The heartbeat workflow explicitly instructs the agent to check emails and calendars proactively, which can expose sensitive personal or business data without a contemporaneous user prompt or clear consent boundary. In a proactive agent skill, this is more dangerous because it normalizes recurring access to high-sensitivity data sources during background polling.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Directing the agent to move old screenshots to trash is a destructive file operation with no requirement for user notice, review, or reliable criteria for what counts as 'old'. In practice this can delete evidence, work product, receipts, or other user data, especially when run periodically and autonomously.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Closing apps and browser tabs without warning introduces availability and data-loss risk, especially for apps with unsaved documents, transient browser forms, or tabs holding session-specific context. Because the behavior is framed as routine hygiene, it encourages unattended execution of potentially disruptive actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This template explicitly encourages storing long-term memory about a user and other people, including background, preferences, important dates, relationships, and lessons learned, but it provides no warning or guardrails about sensitive personal data, minimization, consent, retention, or access control. In a proactive agent context designed to continuously improve and anticipate needs, this omission increases the likelihood that the agent or operator will persist unnecessary personal or sensitive information, creating privacy, compliance, and secondary misuse risks.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The onboarding flow explicitly says the agent will update USER.md and SOUL.md with collected personal context and preferences, but it does not present a clear user-facing warning about persistence, retention, or review/consent before writing that data to disk. This creates a privacy and security risk because sensitive personal information gathered conversationally may be stored in project files unexpectedly, exposed to other tools, future prompts, or repository sync workflows.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This template explicitly encourages the collection of detailed personal context, including identity, timezone, relationships, work habits, preferences, and free-form notes, without any guidance on minimization, consent, retention, or safe handling. In an agent skill designed to build long-term user context, this can normalize over-collection of sensitive personal data and increase privacy, profiling, and prompt-leakage risk if the data is stored, surfaced, or reused insecurely.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guidance explicitly tells the agent to persist user responses into ONBOARDING.md, USER.md, and SOUL.md during onboarding, but it does not require prior notice, consent, or data-minimization controls. This creates a privacy risk because personal preferences, goals, and potentially sensitive profile data may be silently accumulated and retained across sessions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The opportunistic learning section instructs the agent to infer and store personal information from ordinary conversation, including timezone, communication preferences, relationships, and projects, without explicit disclosure at collection time. This is more dangerous in context because the skill is designed to make the agent continuously proactive, increasing the likelihood of broad, ongoing profiling beyond what the user reasonably expects.

Ssd 3

Medium

Confidence: 91% confidence
Finding: This section encourages the agent to learn from natural conversation and continuously update user-focused context files, which promotes broad passive collection of personal information. Because the collection is opportunistic rather than narrowly scoped, it increases the chance of storing unnecessary or sensitive details.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The memory guidance tells the agent to capture decisions, action items, open threads, and essentially all important context before compaction, with the rule 'If it's important enough to remember, write it down NOW.' That is an instruction for aggressive long-term retention, which can sweep in sensitive or confidential material without minimization controls.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The curiosity loop instructs the agent to identify personal gaps, ask gradual questions about history, relationships, values, and aspirations, and store the results in USER.md or MEMORY.md. This is effectively a system for incremental profiling and persistence of sensitive personal information, even when gathered casually over time.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to auto-populate persistent user profile files from conversational answers, which creates durable storage of personal context without clear minimization or access controls. Even if intended for continuity, this pattern raises risk of unnecessary retention and leakage of sensitive preferences, identity details, or private goals.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The WAL protocol requires persisting broad classes of user-provided details before responding, including proper nouns, preferences, decisions, draft edits, URLs, IDs, dates, and corrections. This is effectively a blanket retention rule for many sensitive data types and can capture secrets or personal information that the user did not intend to store long term.

Ssd 3

High

Confidence: 99% confidence
Finding: The Working Buffer protocol mandates appending every human message and response summary after a context threshold, explicitly capturing raw conversation in a persistent file. This creates a broad data retention surface for potentially sensitive content and increases the blast radius if the file is later exposed, searched, or reused across sessions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal