ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proactive Agent (wyblhl fork)

v3.1.1

Transform AI agents from task-followers into proactive partners. Implements WAL Protocol, Working Buffer, Compaction Recovery, Unified Search, Security Harde...

0· 58·0 current·0 all-time
by@wyblhl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (proactive agent, WAL, working buffer, compaction recovery, heartbeat) align with included Python modules and reference docs. The scripts implement WAL capture, buffer append/read, recovery, unified search and heartbeat checks as advertised. Minor inconsistencies: SKILL.md references a './scripts/security-audit.sh' which is not present in the file manifest, and some documentation links point to external resources but the code does not fetch remote content.
!
Instruction Scope
SKILL.md and the scripts instruct the agent to read and write many workspace files (SESSION-STATE.md, memory/YYYY-MM-DD.md, memory/working-buffer.md, MEMORY.md, etc.) — this is expected for a memory system but it is sensitive because these files can contain private data. The SKILL.md contained a pre-scan prompt-injection pattern (ignore-previous-instructions) indicating possible attempt to manipulate runtime instruction flow. The instructions also suggest running a security audit script that is not included, which is an inconsistency and could mislead users. The scripts do not show network calls, but they do perform broad filesystem access under a hard-coded absolute path (see environment_proportionality).
Install Mechanism
There is no install spec (instruction-only for the registry), and code is shipped as Python scripts — no external downloads, brew/npm, or archive extraction. This is low installation risk. Files will be written when the scripts run, but nothing in the bundle automatically downloads or executes remote code.
!
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However, all scripts use a hard-coded absolute workspace path (WORKSPACE_ROOT = Path("D:/OpenClaw/workspace")) rather than a relative or configurable path. This is a concern because it may read/write files outside the intended agent sandbox or behave differently on non-Windows systems. The scripts read and write session/memory files (which is expected for the feature) but this file access is broad and will capture potentially sensitive content (emails, URLs, decisions) into plain files.
Persistence & Privilege
The registry metadata does not request 'always': true and model invocation is normal; the skill does not try to modify other skills or system-level configuration. It creates and updates files in a workspace (SESSION-STATE.md, HEARTBEAT.md, memory files), which is expected behavior for a memory system and not an elevated privilege by itself.
Scan Findings in Context
[ignore-previous-instructions] unexpected: The SKILL.md contained a 'ignore-previous-instructions' pattern flagged by the scanner. That phrase is a common prompt-injection vector and is not needed for a memory/WAL implementation; it should be removed or explained. Presence of this pattern in user-facing instructions is a red flag and should be manually reviewed.
What to consider before installing
What to consider before installing/running: - Source trust: The skill's homepage is unknown and the owner is anonymous in the registry metadata. Only install if you trust the source or after a manual code review. - Run in a sandbox first: Execute the scripts in an isolated environment (throwaway VM or container) so they can't touch your real files. The code writes/reads files and will create SESSION-STATE.md and memory files. - Fix the workspace path: The scripts hard-code WORKSPACE_ROOT = D:/OpenClaw/workspace. Before running, change this to a relative or explicitly-configured path inside a safe workspace so it cannot read arbitrary locations on your machine. - Remove or investigate injection strings: The SKILL.md contains prompt-injection phrasing flagged by the scanner. Make sure SKILL.md and other docs do not include 'ignore previous instructions' or similar phrases that could manipulate agent/system prompts. - Audit sensitive writes: The WAL and working-buffer will capture dates, URLs, emails, numbers and other extracted details into plain files. If those files will contain private data, ensure they are stored securely (correct permissions, encrypted if needed) and that you are comfortable with local persistence. - Verify missing artifacts: SKILL.md mentions './scripts/security-audit.sh' which does not exist in the package. Ask the author or scan the repo to confirm intended audit procedures. - Check for network behaviour: The provided code has no network calls, which is good. If you later modify it to sync or share data externally, require explicit human approval and review destination endpoints. If you are unsure, treat this as a moderate-risk skill: review and sanitize the code (path, prompt text, file permissions) and run it in isolation before giving it access to real data or production workspaces.
!
references/security-hardening.md:142
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

hal-stackvk972j9m5pwjh5xjzccmtssabcs83cmxylatestvk972j9m5pwjh5xjzccmtssabcs83cmxy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments