Turing Pyramid
PassAudited by ClawScan on May 10, 2026.
Overview
No direct malicious behavior is evident, but this is a stateful agent-prioritization skill that can read workspace files, steer autonomous actions, and optionally run persistent watchdog/cron scripts.
Install only into an isolated WORKSPACE. Start at Tier 1 or 2, keep external_model, agent spawning, allow_kill, and allow_cleanup disabled unless reviewed, and require explicit approval before the agent performs updates, credential/vault audits, deletions, public posts, purchases, or other high-impact actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prioritize and pursue actions chosen by the skill during heartbeats.
The skill intentionally changes the agent's action-selection and completion flow. This is aligned with its purpose, but it can pressure the agent to act on skill-selected tasks rather than simply report suggestions.
Execution Gate: structural enforcement that prevents agents from describing actions instead of doing them.
Use the execution gate only where autonomous action is desired, and require the agent to ask before high-impact, external, public, or irreversible actions.
If the agent follows suggestions without review, it could inspect sensitive areas, modify files, or affect the local environment.
The action catalog can suggest security, backup, credential-audit, and update-related work. The artifacts describe these as suggestions rather than direct script execution, but an agent with tools could act on them.
"run full backup + integrity verification" ... "full security audit (vault, credentials, permissions)" ... "check for updates (OpenClaw, skills) — ask before applying"
Keep impactful actions behind explicit user approval, especially updates, backups, vault/credential review, archiving, deletion, or public posting.
If enabled, workspace-derived scan content may be sent to an external inference provider using a configured credential.
The optional external-model path can require an API key and delegated provider access, but it is disabled by default and marked as requiring steward approval.
"external_model": { "enabled": false, "base_url": null, "api_key_env": null, "model": null, "approved_by_steward": falseLeave external_model disabled unless you explicitly choose the provider, define the API key source, understand what data is sent, and document approval.
Private workspace information can influence future agent behavior and may be summarized into persistent local files.
The skill reads workspace files and writes persistent state, audit, follow-up, and mindstate files. This is expected for a stateful prioritizer, but it can retain or reuse sensitive context if the workspace is not isolated.
This skill reads files under WORKSPACE. If WORKSPACE points at a sensitive directory, the skill can scan sensitive files there.
Use a dedicated isolated WORKSPACE, do not point it at $HOME or credential directories, and periodically review generated state/audit/mindstate files.
If enabled, the skill may keep updating mindstate or monitoring its own scripts after restarts.
The continuity and watchdog layers can persist beyond an agent session via cron. The artifacts disclose this and state that destructive kill/cleanup actions are opt-in, but persistence is still important for users to understand.
Both daemon and watchdog run via system cron — they survive OpenClaw/agent restarts.
Start with interactive or heartbeat-only use, and only enable cron/watchdog after reviewing scripts and confirming allow_kill and allow_cleanup remain off unless truly needed.