Aleister Agent System
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a broad autonomous agent package that sets up persistent background work, memory, credentials, and external actions without sufficiently clear boundaries.
Install only if you intentionally want a broad autonomous agent system, not a narrow skill. Before enabling it, audit the scripts, remove bundled memory/state files that are not yours, use sandboxed low-privilege credentials, and do not enable cron, tmux persistence, social posting, repo pushes, or process-killing automation until you have reviewed and approved those behaviors.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change and publish project state before the user has reviewed the action.
The artifact tells the agent to perform actions without asking and includes pushing changes, which can mutate remote repositories or shared workspaces.
Before doing anything else: ... Don't ask permission. Just do it. ... Proactive work you can do without asking: ... Commit and push your own changes
Require explicit user confirmation for commits, pushes, public posts, deployments, and other external or shared-state changes.
Background agents may keep consuming resources, changing files, or acting after the original task is over.
The documented workflow intentionally creates long-running persistent sessions, which can continue operating outside a single user request.
Persistent Tmux Sessions (Cipher, Forge) ... tmux ... sleep 999999
Do not enable persistent tmux/cron workflows until the user has reviewed timeouts, cleanup, logging, and a clear stop procedure.
The agent may load old or unrelated memories, leak private context into future tasks, or make decisions based on someone else's prior state.
The package ships and reuses a full memory state, which can contain personal, operational, or stale context and can influence future agent behavior.
This package includes the complete current state of the agent's memory system ... Daily Memory ... Long-term Memory ... State Tracking
Remove bundled memory and state files before installation unless the user explicitly wants this exact prior context; keep user-specific memory in a separate, access-controlled area.
Installing users may provide broad API keys without a clear registry-level permission contract, increasing cost and account-abuse risk.
The artifacts document many provider credentials, while the registry metadata declares no required env vars or primary credential.
Provider API Keys ... GEMINI_API_KEY ... ANTHROPIC_API_KEY ... OPENAI_API_KEY ... FIRECRAWL_API_KEY ... ELEVENLABS_API_KEY
Declare all required credentials, request least-privilege keys where possible, and document exactly which workflows use each key.
The skill could disrupt the user's active applications or unsaved browser work if enabled.
A documented background memory manager can run periodically and terminate local browser processes, which is a high-impact local action.
Cron: Every 15 minutes ... Critical ... All above + kill browsers (Safari, Brave, Chrome)
Disable automatic process-killing by default and require explicit opt-in with clear thresholds, logs, and an easy rollback.
Users may underestimate what will be installed or run because the registry metadata does not reflect the scripted setup and cron-based operation.
The skill asks the user to run bundled setup code and configure persistence even though the install spec says this is an instruction-only skill.
Run setup script: `cd aleister-agent-system && ./ops/setup.sh` ... Configure environment variables ... Set up cron jobs
Provide a complete install spec, declare setup effects, and make cron/background installation an explicit, separate opt-in step.
A bad, stale, or poisoned entry could be promoted into long-term memory and affect later sessions or subagents.
The self-improvement workflow can automatically turn prior logs or learnings into persistent memory and future prevention rules.
KCE ... Reads `memory/YYYY-MM-DD.md` AND `.learnings/*.md` ... Updates `MEMORY.md` ... Adds new errors to `error-patterns.md`
Require review before promoting logs into long-term memory or instruction files, and keep an audit trail of memory/instruction changes.