v0.1.1

deterministic-controller

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

This is a transparent docs-only automation template; it is not malicious, but arming it gives OpenClaw recurring file-updating, subagent orchestration, and optional Telegram logging.

GuidanceBefore installing or arming this skill, review HEARTBEAT.md and ACTIVITIES.md, run MANUAL_RECONCILE first, keep cron and heartbeat disabled until you are ready, sanitize the listed memory/profile files, and enable Telegram logging only if you are comfortable with those status lines leaving the workspace.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

templates/HEARTBEAT.md

This file defines the only valid control loop.
Execute exactly as written.
Do not use prior chat context.

The template intentionally makes HEARTBEAT.md authoritative during triggered controller cycles, which is aligned with deterministic orchestration but can override normal session context if the user arms it.

User impactWhen enabled, the agent may prioritize the controller contract over prior conversational context during heartbeat or poll cycles.

RecommendationOnly arm the controller in a workspace/session where you want HEARTBEAT.md to govern behavior, and review that file before enabling scheduled runs.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

templates/ACTIVITIES.md

Manager may run up to **2 concurrent subagents** for current sprint throughput ... Poll workers every 3 minutes and respawn/reassign if stalled.

The skill documents autonomous subagent orchestration and retry/reassignment behavior. This is central to the controller purpose and capped, but it can start or reassign work without per-step human approval once armed.

User impactAfter you enable automation, OpenClaw may dispatch worker agents and update project state on a schedule.

RecommendationKeep subagent concurrency and tool/model allowlists tight, dry-run manually first, and review queued steps before enabling cron or heartbeat.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

README.md

Create a cron job ... schedule: every 3 minutes ... Leave it **disabled** until you explicitly start.

The docs instruct the user to create persistent scheduled automation, but they clearly state it should be disabled by default and explicitly started by the operator.

User impactIf enabled, the controller can keep running periodically until you disable the cron job and heartbeat cadence.

RecommendationLeave the cron disabled until ready, use the documented disarm steps when stopping, and confirm heartbeat cadence is empty when automation should be off.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

templates/HEARTBEAT.md

`HEARTBEAT_TICK` (full context refresh):
  - `AGENTS.md`, `IDENTITY.md`, `USER.md`, `SOUL.md`, `MEMORY.md`, `memory/YYYY-MM-DD.md` ...

Heartbeat mode may read persistent profile and memory files. That is disclosed and bounded to named files, but those files can contain sensitive or stale context.

User impactPrivate notes or persistent memory content could influence automated decisions if heartbeat mode is enabled.

RecommendationRemove secrets from the listed files, review memory content periodically, and use manual reconcile or poll-only mode if full context refresh is not needed.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

templates/HEARTBEAT.md

Send via `message(action=send, channel="telegram", target="<TELEGRAM_GROUP_ID>", message="<LINE>")`.

The controller can send control-plane logs to Telegram when the user configures a group ID. This egress is explicit and opt-in, but it moves operational data outside the local workspace.

User impactController status lines may be visible in the configured Telegram group.

RecommendationOnly configure Telegram logging if you want external logs, use an allowlisted/private group, and keep emitted log lines free of sensitive project details.