v2.1.0

What Should We Do?

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:54 AM.

Analysis

The skill is a coherent activity planner, but it needs review because it can use calendars, send group messages, create or cancel events, schedule cron reminders, and store personal contact/preferences data, with a Unicode-control-character injection signal in the instructions.

GuidanceReview this skill before installing. If you use it, grant only scoped calendar/messaging access, require confirmation before creating/deleting events or sending invites, inspect SKILL.md for Unicode control characters, and periodically review or delete the stored data in data/whatdo/.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

Pre-scan injection signals: unicode-control-chars

The supplied scan reports Unicode control characters in the instruction file. Such characters can hide or visually reorder text and are not needed for the stated activity-planning purpose.

User impactHidden or visually confusing instruction text could make the skill harder to review and could mislead the user or agent about what the instructions actually say.

RecommendationInspect SKILL.md for invisible/bidirectional/control characters and remove them unless there is a clearly documented benign reason.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

'put it on the calendar' | Add the accepted plan as a calendar event with reminders; 'send invites' / 'let the crew know' | Send invite messages to group members via their contact channels; 'cancel the plan' | Remove a planned event and notify attendees

The instructions map short user phrases directly to calendar creation, outgoing messages, cancellation, and attendee notification, but the provided text does not show an explicit confirmation/preview step for recipients, message contents, or event deletion.

User impactThe agent could create or remove calendar events or send messages to other people based on brief commands, which can cause confusion or unwanted notifications if details are wrong.

RecommendationBefore any calendar write, cancellation, or outgoing invite/notification, require a clear confirmation showing the event details, recipients, channel, and exact message.

Rogue Agents

SeverityMediumConfidenceMediumStatusConcern

SKILL.md

'calendar integration (Google Calendar + cron reminders)'

Cron reminders imply scheduled behavior that can continue after the immediate planning conversation. The provided instructions do not define the cron lifetime, cleanup behavior, or user approval requirements.

User impactReminder jobs or scheduled actions could persist longer than the user expects if they are not clearly created, listed, and removed.

RecommendationMake cron/reminder creation opt-in, show the exact schedule before enabling it, store reminder state in a visible location, and provide a reliable cleanup/cancel path.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md; metadata

SKILL.md: 'Check the calendar — any planned events today/tonight? Conflicts?' and 'calendar integration (Google Calendar + cron reminders)'; metadata: 'Primary credential: none'

The skill instructs calendar access, including default Quick Mode calendar checking, but the registry metadata does not declare a credential, account scope, or capability boundary for that access.

User impactA casual request like 'what should we do?' could cause the agent to inspect private calendar data, and later workflows may use the user's calendar account without clearly documented scoping.

RecommendationUse explicitly scoped calendar credentials, require user opt-in before reading calendars, and document which calendar/account is accessed and what data may be read or changed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

All user data lives in '<workspace>/data/whatdo/'; 'preferences.json' stores learned preferences, groups, favorites, blacklists, routines, and personalization data; group members include telegram, email, phone, dietary, and alcohol fields.

The skill persistently stores personal preferences, history, contact details, and group attributes. This is purpose-aligned and locally scoped, but it is sensitive profile/context data reused across future tasks.

User impactPersonal activity preferences, contact information, dietary/alcohol notes, and past plans may remain in the workspace and influence future suggestions.

RecommendationReview the contents of data/whatdo/ periodically, avoid storing contacts without consent, and delete or redact entries that should not persist.