Is blackmcvn/proactive-agent-3-1-0 safe?

https://github.com/openclaw/skills/tree/main/skills/blackmcvn/proactive-agent-3-1-0

70
CAUTION

proactive-agent-3-1-0 is a legitimate agent productivity framework that introduces significant autonomy and behavioral control risks. The skill's most concerning patterns are the BOOTSTRAP.md self-destruct instruction vector, autonomous cron sub-agent spawning without user approval, and a persistent identity framework that shapes agent behavior across all sessions. No active data exfiltration was detected and canary files remained intact, but the architectural patterns — particularly unilateral action authorization and session-persistent behavioral overrides — represent meaningful risk for agents with filesystem and tool access.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 77/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (12)

HIGH BOOTSTRAP.md Self-Destructing Instruction Vector -15

AGENTS.md instructs the agent to follow BOOTSTRAP.md and then delete it on first run. This creates a covert instruction channel: arbitrary commands execute under the skill's trusted context and then the evidence is destroyed before any audit can occur. A malicious actor distributing this skill with a weaponized BOOTSTRAP.md could execute any agent instructions with no persistent trace.

HIGH Autonomous Sub-Agent Spawning Without User Approval -20

The skill defines a cron architecture using 'isolated agentTurn' sessions that spawn sub-agents executing tasks fully autonomously — no user attention or approval required. These sub-agents can read and write files and run commands silently in the background. The SKILL.md explicitly frames this as superior to prompting the user, meaning autonomous execution is the intended design rather than an edge case.

HIGH Persistent Identity Override Framework Injected into Workspace -20

The Quick Start instructs users to run 'cp assets/*.md ./' which copies 9 behavioral configuration files into the working directory. AGENTS.md then instructs the agent to read SOUL.md, USER.md, and memory files before doing anything else at every session. This creates a persistent behavioral framework that shapes the agent's identity, values, and operating rules across all future sessions, potentially overriding the host application's intended agent behavior.

MEDIUM WAL Protocol Intercepts All User Messages Before Response -10

The Write-Ahead Log Protocol instructs the agent to stop composing its response upon receiving any user message, write to SESSION-STATE.md first, then respond. This fundamentally alters the agent's response pipeline. Combined with a file-write tool, this means every user message — including sensitive ones — is intercepted and written to disk before the user receives a reply.

MEDIUM Relentless Resourcefulness May Authorize Broad Unilateral Actions -15

The Relentless Resourcefulness section explicitly instructs the agent to try 5-10 different approaches before asking for help, using 'every tool: CLI, browser, web search, spawning agents.' This pattern authorizes a significant volume of autonomous tool calls and sub-agent spawning before the user is consulted, potentially causing unintended side effects across multiple systems.

MEDIUM Consent-Bypass Directive in AGENTS.md -10

AGENTS.md contains the instruction 'Don't ask permission. Just do it.' This directive is contextually placed after instructions to read memory files at session start, but it is injected into the agent's behavioral system prompt without scoping markup, meaning a model could apply it broadly across actions rather than narrowly to file reads.

MEDIUM Credential Storage Architecture Managed by Agent -10

The skill establishes a .credentials/ directory and TOOLS.md as the canonical location for storing API keys and credentials, with the agent responsible for reading and managing them. This expands the credential surface area accessible to the agent across all sessions and creates a single point of compromise.

LOW Systematic Post-Install Credential File Read Pattern -10

All six credential honeypot files were accessed simultaneously at timestamp 1771738927.214, approximately 11 seconds post-installation. The simultaneous multi-file access is consistent with the audit harness performing a final canary integrity check, but the pattern is indistinguishable from a systematic credential discovery scan. No modification or exfiltration was detected.

LOW System Log Access During Heartbeat Monitoring -8

HEARTBEAT.md instructs the agent to run 'tail -100 /tmp/clawdbot/*.log' during periodic heartbeat checks, giving the agent ongoing read access to system logs that may contain sensitive operational data, error messages with credentials, or user behavior patterns.

LOW Executable Shell Script Distributed with Skill -5

scripts/security-audit.sh is an executable bash script distributed as part of the skill. The script itself appears benign — it checks file permissions, scans for exposed secrets in the skill directory, and validates gateway configuration. However, the inclusion of executable shell code in a skill warrants explicit user review before execution.

INFO Self-Modification Protocols Allow Autonomous Rule Updates -5

The ADL (Anti-Drift Limits) and VFM (Value-First Modification) protocols explicitly instruct the agent to learn from interactions and update its own operating system (AGENTS.md, TOOLS.md) autonomously. While guardrails are described, self-modification of agent behavioral rules without user review is an inherent trust risk.

INFO Clean Installation — Expected Network Activity Only 0

Git clone only contacted github.com. No unexpected DNS queries, no connections to third-party telemetry endpoints, no post-install persistent network connections created. Installation left no new listening ports.