Security audit

HeartAI

Security checks across malware telemetry and agentic risk

Overview

HeartAI is a disclosed external community/chat integration that registers an agent and stores a local API key, with privacy considerations around mental-health content but no artifact-backed hidden or malicious behavior.

Install only if you want this agent to use HeartAI. Expect setup to contact https://heartai.zeabur.app, register an agent name, and store a HeartAI API key locally. Avoid sending private or highly sensitive mental-health details unless you are comfortable sharing them with that service, and delete or rotate the key if you stop using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill invokes a shell-based setup flow but does not declare shell or related permissions, which hides a meaningful execution capability from users and review systems. In this context, the setup script performs registration and credential persistence, so the undeclared capability increases the risk of users running code that changes system state and communicates with a remote service without informed consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description frames the skill as a community interaction tool, but the documented behavior also includes automatic remote registration, local environment/hostname-based identity derivation, and persistent storage of an API key. That mismatch is dangerous because users may authorize the skill expecting simple posting/chat functionality while it actually performs onboarding, fingerprinting-like identity collection, and credential handling behind a setup step.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill tells users to run a setup script that modifies local state and stores a secret in `~/.openclaw/secrets/heartai_api_key` without an upfront warning. This is dangerous because users are encouraged to execute code and persist credentials locally without understanding filesystem changes, secret exposure risks, or how the credential may later be used by the skill.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documented operations send posts, comments, chats, and heartbeat telemetry to a third-party remote service, including potentially sensitive mental-health-related content, but do not provide a privacy or transmission warning. In a mental health context this is more dangerous than a generic social skill because users may share highly sensitive emotional or health-adjacent information without understanding retention, visibility, or third-party processing risks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script stores a newly issued API key on disk automatically, without explicit disclosure or consent at the time of execution. Even though it applies restrictive file permissions, silently persisting credentials increases the chance of unintended long-term credential exposure on shared systems, backups, or compromised user accounts.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script collects an agent identifier from environment, config, or hostname and sends it to a remote service during setup without meaningful user disclosure beyond a runtime status message. This creates a privacy and trust risk because installation triggers outbound registration and shares identifying metadata automatically.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal