v1.2.0

Smart Agent Workflow

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:37 AM.

Analysis

This workflow skill is not clearly malicious, but its included memory and collaboration components can persist/share user information and write files without tight boundaries, so it should be reviewed carefully.

GuidanceReview before installing if you plan to use the memory or multi-agent features. If you only want the workflow rules, avoid enabling the memory manager and shared-agent setup until storage paths, redaction, retention, AI-client destinations, and trusted message sources are clearly configured.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

AGENTS.md

主动执行，不反复询问 — 自主判断执行，只在涉钱/权限/删除时才询问

This deliberately alters the agent's default stopping and confirmation behavior; it is aligned with the workflow purpose, but users should notice the broader autonomy.

User impactThe agent may proceed with many actions without asking first, relying on the skill's own danger-operation rules.

RecommendationInstall only if you want these rules to govern the agent broadly, and keep stricter confirmations for file changes, external sends, account actions, and production operations.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

integrations/memory_manager.py

path = os.path.join(self.storage_dir, f"{user_id}_history.json") ... os.remove(path)

The code uses user_id directly in filesystem paths for reads, writes, and deletes without visible sanitization, normalization, or enforcement that the resolved path stays inside storage_dir.

User impactIf this helper is used with untrusted or malformed user IDs, it could write or remove files outside the intended memory directory under the agent's permissions.

RecommendationNormalize and validate user IDs, reject path separators, resolve paths and enforce a storage-dir prefix, and avoid deletion based on unsanitized identifiers.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

docs/OLLAMA_SETUP.md

curl -fsSL https://ollama.com/install.sh | sh

The Ollama setup docs include a user-directed remote shell installer; it is not automatically run by the skill, but it is an unpinned external install path.

User impactRunning this command executes whatever the remote installer serves at that time.

RecommendationVerify installer provenance, prefer package managers or pinned releases where possible, and run optional setup commands only after reviewing them.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

docs/OLLAMA_SETUP.md

export TELEGRAM_BOT_TOKEN="你的Bot Token"

Optional setup documentation asks for Telegram bot credentials even though the registry metadata declares no required credentials; no leakage or hardcoded token is shown.

User impactUsing the optional Telegram path would grant the bot access associated with that token.

RecommendationTreat the Telegram setup as a separate optional integration, use least-privilege bot tokens, keep tokens out of shared memory/logs, and do not configure it unless needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

integrations/memory_manager.py

history.append({"role": "user", "content": user_message}) ... parts.append(f"\n【用户记忆】\n{memory}")

The module persists user messages and later injects stored memory into the system prompt; its async compression path also sends history to the configured AI client, with no evident redaction or memory-trust separation in the code.

User impactSensitive text typed to the agent may be retained or summarized, and poisoned memory can influence later tasks.

RecommendationMake memory opt-in, redact secrets before saving or summarizing, show users what will be remembered, document where summaries are sent, and treat stored memory as untrusted context rather than authoritative instructions.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

docs/MULTI_AGENT_COLLABORATION.md

Agent B 定期扫描日志 → 发现 @Lily → 开始执行

The collaboration design lets agents act on shared logs/task boards and session messages, but the artifacts do not define sender authentication, authorization, or origin validation for those instructions.

User impactA mistaken or malicious shared note/message could cause another agent to start work, change files, or propagate bad instructions.

RecommendationRequire signed or trusted task ownership, validate message origin, separate untrusted shared notes from executable instructions, and require user or owner confirmation before cross-agent actions.