Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Proactive Agent
v0.1.0Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. Now with WAL Protocol, Working Buffer, Autono...
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The files (SKILL.md, AGENTS.md, HEARTBEAT.md, memory files, and a security audit script) line up with the declared purpose of creating a proactive, persistent agent: they instruct the agent to read/write workspace files, capture memory, and run a local audit. Nothing in the bundle requires unrelated credentials or external services. However, a short, isolated line in AGENTS.md (‘Don't ask permission. Just do it.’) conflicts with many other explicit guardrails that require human approval for external actions, creating ambiguity about how aggressive the agent should be.
Instruction Scope
The runtime instructions intentionally direct the agent to read and write many workspace files (ONBOARDING.md, USER.md, SESSION-STATE.md, memory files, working-buffer.md) and to run the included security-audit.sh. Those actions are coherent with the skill's purpose. The concern is mixed guidance: the repo repeatedly warns against executing external content or sending data out, yet elsewhere encourages aggressive behaviors (e.g., 'Don't ask permission', 'Use every tool', 'spawn agents', 'Autonomous Crons') — this grants broad operational latitude that could lead to scope creep. Also, the SKILL.md and references include many explicit examples of prompt-injection strings (used for detection), so a reviewer should confirm those are examples and not active instructions the agent will follow from fetched content.
Install Mechanism
There is no install spec and the skill is instruction-first with a single helper script. No downloads, package installations, or extracted archives are present. The only executable is a local audit shell script included in the repo; it operates on local files/configs and does not fetch remote code.
Credentials
The skill does not request any environment variables, binaries, or external credentials. The included docs recommend storing credentials in a .credentials directory and the audit script checks for .clawdbot config under $HOME — reasonable for a local agent. Because no external secrets are requested, credentials access appears proportionate. Still, the audit script inspects HOME-level config and /tmp logs if present, so users should be aware it reads local files outside the skill folder when run.
Persistence & Privilege
always:false and model invocation is allowed (platform default). The skill expects to write/read files in the workspace (e.g., copying assets, updating USER.md/SOUL.md/SESSION-STATE.md), which is normal for a stateful agent. There is no indication it modifies other skills or global agent settings, but some wording encourages autonomous actions (Autonomous Crons, spawning agents). Combined with the ambiguous 'Don't ask permission' text, this could increase the blast radius if the agent is given network or tool access.
Scan Findings in Context
[ignore-previous-instructions] expected: This phrase appears in the skill's security-patterns and HEARTBEAT examples as a pattern to detect prompt injection. Its presence is expected in documentation, but reviewers should confirm it's only example text and not content the agent is instructed to obey if encountered externally.
[you-are-now] expected: Also listed among injection patterns in references. Expected as teaching material; ensure the agent's runtime logic treats similar external input as data to flag rather than instructions to adopt.
[system-prompt-override] expected: Found in the SKILL.md/references as an example of an injection vector. This is appropriate in a security-focused skill but warrants manual verification that the agent's code enforces the documented guardrails.
What to consider before installing
This bundle is largely a design/operational handbook plus a local security-audit script — not a downloader — so it's not obviously malicious. Before installing or enabling it: 1) Read SKILL.md and AGENTS.md fully and resolve the contradictory guidance (especially the 'Don't ask permission. Just do it.' line) — insist the agent require explicit approval for external/irreversible actions. 2) Run ./scripts/security-audit.sh yourself in a safe, local environment to see what it reads (it checks $HOME/.clawdbot and /tmp logs if present). 3) Test the skill in an isolated workspace without network/tool permissions so you can confirm its file reads/writes are limited to the workspace. 4) If you plan to grant the agent tool or network access, remove or clarify any instructions that allow spawning other agents or autonomous crons until you have precise consent rules. 5) If you are not comfortable resolving the ambiguous guardrails, treat this skill as potentially risky and avoid giving it elevated privileges or credentials.assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97fegte299apyd8xmeg4wry3583qrbw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.