Beat
Security checks across malware telemetry and agentic risk
Overview
Beat appears to be an offline local logging command-line tool with no credential or network behavior shown, but the visible code may not actually perform the advertised audio conversion or analysis.
This does not show malicious behavior, but treat it as a local activity logger unless you confirm a fuller Beat CLI is installed. Be careful with sensitive file names or metadata in commands, and review how the `beat` executable is installed before relying on it.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may assume audio files were converted or analyzed when the visible artifact mainly records the request.
The visible implementation for advertised commands such as convert records the input to a log rather than showing actual audio conversion or metadata analysis, so the capability description appears broader than the code shown.
convert) ... echo "$ts|$input" >> "$DATA_DIR/convert.log" ... echo " [Beat] convert: $input"
Verify actual outputs before relying on the tool for audio processing, and review any installed `beat` command separately if it differs from this script.
Information typed into Beat commands can remain on the local machine and later be searched or exported.
The skill persistently stores activity history, which may include file names, paths, or other user-provided command text.
All data is stored locally at `~/.local/share/beat/`. Each action is logged with timestamps.
Avoid putting secrets or sensitive private details in command arguments, and periodically inspect or clear `~/.local/share/beat/` if needed.
Users may need to manually determine what executable is actually being run as `beat`.
The skill documentation assumes a `beat` CLI exists and the manifest includes a script, but no install specification explains how that command is installed or pinned.
No install spec — this is an instruction-only skill.
Only install or place the script on PATH from a trusted source, and review the script before making it executable.