Is proactive-agent safe?

https://clawhub.ai/halthelobster/proactive-agent

72
CAUTION

Proactive Agent is a comprehensive agent behavior modification skill that transforms agents from reactive to autonomous. While likely benign in intent (productivity framework from a known author), it aggressively overrides default agent behavior with strong imperatives, collects extensive personal data into persistent plain-text files, includes executable shell scripts, and creates significant attack surface for skill-chain exploitation. The skill normalizes autonomous actions, unsolicited builds, and personal data persistence that could be leveraged by subsequent malicious skills.

Category Scores

Prompt Injection 52/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

HIGH Aggressive agent behavior override -30

The skill uses strong imperative language to fundamentally alter how the agent operates. Phrases like 'Non-negotiable. This is core identity.', 'Don't ask permission. Just do it.', and 'The urge to respond is the enemy' override the agent's default cautious behavior. The WAL Protocol hijacks the response pipeline by instructing the agent to STOP before responding and write to files first. The Relentless Resourcefulness section demands the agent 'try 10 approaches', 'spawn agents', and 'use every tool' before giving up — encouraging autonomous escalation.

MEDIUM Unsolicited autonomous actions encouraged -18

The Proactive Surprise pillar and Heartbeat system instruct the agent to build things the user didn't ask for, monitor emails/calendars, and reach out to the user unprompted. While gated by an 'ask before external actions' guardrail, the skill normalizes autonomous behavior that could bypass user intent. The Compaction Recovery explicitly says 'Do NOT ask what were we discussing' — suppressing clarification questions.

MEDIUM Extensive personal data collection and persistence -15

The onboarding system collects 12 categories of personal data including name, timezone, goals, key relationships, work style, communication preferences, and personality — storing it in plain text markdown files (USER.md, SOUL.md). The WAL Protocol ensures corrections, proper nouns, preferences, decisions, and specific values are continuously captured to SESSION-STATE.md. This creates a rich persistent personal data store that any subsequent malicious skill could read and exfiltrate.

MEDIUM Bundled executable shell script -28

The skill includes scripts/security-audit.sh, a bash script that scans the filesystem, reads config files ($HOME/.clawdbot/clawdbot.json), checks file permissions, and greps for secrets. While the script appears benign (security audit), it uses 'set +e' to continue on errors and accesses sensitive paths. The HEARTBEAT.md also contains shell commands the agent is instructed to run periodically.

LOW AWS credentials file accessed during install -5

The filesystem monitoring shows /home/oc-exec/.aws/credentials was opened during installation. This appears to be from the OpenClaw agent runtime bootstrapping (not the skill itself), but it indicates the install environment has access to sensitive credential files.

INFO Skill-chain attack surface creation -55

While this skill appears benign in intent (productivity/memory framework by a known ClawHub author), it creates significant attack surface for skill-chain exploitation. The persistent USER.md, SOUL.md, and SESSION-STATE.md files contain rich personal data in predictable locations. Any malicious skill installed afterward could trivially read these files. The skill also normalizes credential storage via TOOLS.md's .credentials/ directory reference.