Ops Hygiene
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use a local email/API credential and inspect an inbox on a schedule without the user explicitly configuring which account should be used.
The heartbeat reads an AgentMail token from a local .secrets file and uses it to access a fixed inbox, while the registry metadata declares no primary credential or required environment variable.
client = AgentMail(api_key='$(grep -o "am_[a-f0-9]*" "$WORKSPACE/.secrets" 2>/dev/null || echo "none")') ... msgs = client.inboxes.messages.list(inbox_id='celeste.ai@agentmail.to')
Require explicit user configuration for the inbox and token, declare the credential in metadata, avoid scraping .secrets, and make email checks opt-in.
The agent could preserve unintended, sensitive, or broken changes in repository history during routine maintenance.
The recurring SOP directs broad workspace commits without requiring a user-reviewed diff or explicit approval.
Git status — uncommitted changes? Commit workspace work. ... Git commit — commit all workspace changes with descriptive messages.
Require user approval before commits, show a diff, restrict allowed paths, and never commit generated or secret-bearing files automatically.
A malicious prompt or sensitive incident detail could be stored in memory and influence later sessions.
The skill tells the agent to persist incident context and later read recent memory files at session start, which can reintroduce blocked or suspicious content as trusted context.
Read SOUL.md, USER.md, recent memory/YYYY-MM-DD.md ... also read MEMORY.md ... Log it — write to memory/YYYY-MM-DD.md with full context
Store incident logs separately from auto-read memory, quote or sanitize untrusted content, and label all captured attack text as non-instructional evidence.
If scheduled, the checks may continue running periodically and trigger local scans, reminders, and email checks.
The skill intentionally supports recurring maintenance and persistent state tracking; the artifacts do not install a daemon, but they are meant to be scheduled.
Heartbeat Cycle (Every ~30 min when active) ... State tracking: memory/heartbeat-state.json
Only enable heartbeat scheduling if desired, document how to disable it, and keep recurring checks limited to user-approved actions.
Users have less provenance and dependency information than expected for scripts that inspect local system state.
The package includes runnable shell scripts but has no source URL or install/dependency specification in the provided metadata.
Source: unknown ... No install spec — this is an instruction-only skill ... 4 code file(s)
Publish source/provenance details and declare required tools, optional services, and Python packages.