v1.0.0

Memory Onboarding Wizard

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

This skill mostly creates local memory files, but it also installs a default heartbeat checklist that can prompt future agents to repeatedly check email and calendar without a clear opt-in.

GuidanceBefore installing, be prepared to inspect the generated MEMORY.md, USER.md, and especially HEARTBEAT.md. The memory files are expected, but remove the default email/calendar heartbeat tasks unless you want your agent to perform those recurring checks.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

scripts/memory-onboarding-wizard.py

The agent reads this file on every heartbeat poll... Active Checks (rotate through these 2-4x/day)\n\n- [ ] Email — any urgent unread messages?\n- [ ] Calendar — upcoming events in the next 24-48h?\n- [ ] Weather — relevant if your human might go out?

The script's HEARTBEAT.md template creates persistent recurring instructions for future heartbeat polls, including email and calendar checks, which can continue after the initial memory setup and may use sensitive integrations if available.

User impactAfter setup, a future agent could treat these default heartbeat tasks as permission to repeatedly inspect email or calendar information.

RecommendationReview and edit HEARTBEAT.md immediately after installation; remove email/calendar checks unless you explicitly want them, and add clear approval requirements for any account or private-data access.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Your agent will read these files at the start of each session to maintain continuity... USER.md — Asks 3 quick questions (name, timezone, main use case) and writes them

The skill intentionally creates persistent memory/profile files that are reused across sessions; this is purpose-aligned, but users should know that personal context and any later edits may influence future agent behavior.

User impactInformation placed in these files can persist across sessions and shape how the agent responds later.

RecommendationKeep USER.md and MEMORY.md limited to information you are comfortable having reused, and periodically review or delete outdated or sensitive entries.