ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tmp Proactivity Review

v1.0.0

Anticipates needs, keeps work moving, and improves through use so the agent gets more proactive over time.

0· 65·0 current·0 all-time
by@wjtmatch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the actual behavior: creating and maintaining a local proactive state under ~/proactivity/, proposing (but not applying) workspace integrations, and running recovery/heartbeat logic. The requested artifacts (local files and templates) are proportionate to the stated purpose.
Instruction Scope
SKILL.md limits actions to the home-folder ~/proactivity/ and requires explicit user approval before writing to workspace files (AGENTS/TOOLS/SOUL/HEARTBEAT). It instructs creating files, setting file permissions, and reading local state for recovery — all consistent with a local proactivity feature. Note: the skill will store user notes locally, so sensitive data could be placed there if the user saves it.
Install Mechanism
Instruction-only skill with no install spec and no code to fetch or execute. Lowest install risk — nothing is downloaded or written by an installer beyond the local files the instructions tell the agent to create (which require user approval in-session).
Credentials
No environment variables, binaries, or external credentials are requested. The skill only operates on a local folder and optionally reads workspace files if the user opts into integration.
Persistence & Privilege
The skill creates and maintains persistent state in ~/proactivity/ (with recommended restricted permissions). It is not marked always:true and does not request system-wide changes autonomously, but persistent local storage means it will keep state across sessions — consider whether you want persistent local notes and logs.
What to consider before installing
This skill appears to do what it says (local proactive state and suggestions) and does not ask for network access or credentials. However: 1) Packaging/metadata mismatches were found — the registry metadata (owner, slug, version) does not exactly match the files' internal SKILL.md/_meta.json values. That could indicate a repackaged or out-of-date copy; verify the author and source before trusting it. 2) The skill will create a folder in your home directory and persist logs/memory there — review those files and their permissions, and avoid storing sensitive secrets in them. 3) The skill promises to ask before editing workspace files; insist on that interactive confirmation and review any proposed diffs before allowing writes. 4) Because it's instruction-only, risk of remote code execution is low, but still review the SKILL.md content and test in a safe account or sandbox if you have doubts. If the publisher identity or versioning cannot be verified, treat the package cautiously (do not enable automatic/always-on behavior and review any file writes before approving). Additional information that would raise confidence: a consistent owner/slug/version, an established homepage or repository with a trustworthy maintainer, or signed metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk97amavj7g10dvb2zb6fddvty583wbph

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
OSLinux · macOS · Windows

Comments