Proactive Agent
Security checks across malware telemetry and agentic risk
Overview
This is a coherent proactive-agent framework, but it gives the agent broad proactive, persistent, and self-modifying behavior that needs careful user review before use.
Install this only if you explicitly want a proactive, persistent agent. Before enabling it, set strict limits on which files, accounts, calendars, mailboxes, and apps it may access; disable or narrow heartbeat cleanup; require approval before deleting, closing, posting, sending, or self-modifying; and periodically review or clear the memory files it creates.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or stale BOOTSTRAP.md in the workspace could redirect the agent’s behavior and then be deleted, making the action harder to audit.
This makes an arbitrary workspace file authoritative for first-run instructions and then removes it, without source verification or user approval.
If `BOOTSTRAP.md` exists, follow it, then delete it.
Only allow BOOTSTRAP.md from a trusted setup flow. Show its contents to the user and ask before following or deleting it.
Apps, browser tabs, or local files could be closed, changed, or moved to trash unexpectedly.
The heartbeat checklist authorizes local UI and file changes using vague safety criteria and without explicit per-action approval.
Check for apps not used recently, close if safe... Browser Tab Hygiene... Close: Random searches... Desktop Cleanup - Move old screenshots to trash
Require explicit approval before closing apps/tabs or moving files, and define exactly which paths and applications the agent may touch.
The agent may inspect sensitive account information during proactive checks without a clear permission boundary.
The skill encourages proactive reading of email and calendar account data, but does not define which accounts, credentials, folders, or event details are in scope.
Things to check: - Emails - urgent unread? - Calendar - upcoming events? ... Do freely: - Read files, explore, organize, learn - Search the web, check calendars
Specify allowed accounts/calendars/mailboxes, require user approval before first access, and limit what details may be stored in memory.
Personal details and conversation context may be written to local memory files and reused later, including details the user did not intend to preserve.
The WAL and memory architecture persist names, preferences, decisions, dates, URLs, and other user context across sessions, with no clear retention, exclusion, or review policy.
`SESSION-STATE.md` ... `memory/YYYY-MM-DD.md` ... `memory/working-buffer.md`; "SCAN EVERY MESSAGE" ... "WRITE — Update SESSION-STATE.md with the detail"
Define retention limits, sensitive-topic exclusions, allowed memory locations, and a regular user-review or clear-memory process.
One incorrect lesson or poisoned instruction could change future agent behavior and compound over time.
The agent is told to modify its own operating rules and tool notes immediately, which can cause mistakes or bad inputs to persist into future sessions.
Learn a lesson → update AGENTS.md, TOOLS.md, or skill file... Don't wait for permission to improve. If you learned something, write it down now.
Require the agent to propose diffs for AGENTS.md, TOOLS.md, SOUL.md, or skill files and wait for user approval before applying them.
If heartbeats are enabled, the agent may keep checking resources and initiating contact without a fresh user request each time.
The skill supports periodic autonomous monitoring, state tracking, and outreach behavior outside a single user-requested task.
When you receive a heartbeat poll... Track state in: `memory/heartbeat-state.json`... When to reach out: ... It's been >8h since you said anything
Enable heartbeats only with a clear schedule, task list, quiet hours, and approval rules for what the agent may check or change.
Users have less information for deciding whether to trust the author and included instructions.
The skill’s provenance is not easily verifiable from the registry metadata, although the provided code is limited to a local audit script and there is no remote install mechanism shown.
Source: unknown; Homepage: none
Review the files manually before installation and prefer a verified source or homepage for future versions.