Heartbeats
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is not clearly malicious, but it asks the agent to proactively access accounts, edit memory and documentation, and commit/push changes without clear approval boundaries.
Install only if you intentionally want an agent that performs periodic proactive checks. Before using it, restrict which accounts and workspace files it may access, require confirmation before commits or pushes, review HEARTBEAT.md and MEMORY.md changes, and define quiet hours plus a clear disable procedure.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A workspace checklist could steer the agent's future actions more strongly than the user expects, especially during unattended heartbeat runs.
The skill makes a mutable workspace file authoritative during heartbeats and also permits the agent to edit that file, which can redirect future autonomous behavior.
Read HEARTBEAT.md if it exists (workspace context). Follow it strictly. ... You are free to edit `HEARTBEAT.md`
Treat HEARTBEAT.md as a user-reviewed checklist only, and do not allow it to override current user instructions or safety rules.
The agent could make and publish repository changes before the user reviews them.
Committing and pushing changes can mutate repositories or shared projects, and the artifact explicitly frames this as something the agent may do without asking.
Proactive work you can do without asking: ... Update documentation ... Commit and push your own changes
Require explicit user approval before any write, commit, push, publish, or shared-project mutation.
If account tools are available, the agent may read sensitive email, calendar, and social-notification data during periodic checks.
The skill directs the agent to access private account data, but the registry metadata declares no credentials, account boundaries, or permission scope.
Things to check ... Emails - Any urgent unread messages? ... Calendar - Upcoming events ... Mentions - Twitter/social notifications?
Limit connected accounts and tools, define exactly which sources may be checked, and require approval before acting on private account content.
Incorrect or poisoned memory entries could affect future conversations, and useful information could be removed without review.
The skill instructs the agent to maintain persistent state and alter long-term memory, including deleting old information, without clear review, retention, or trust boundaries.
Track your checks in `memory/heartbeat-state.json` ... Update `MEMORY.md` with distilled learnings ... Remove outdated info from MEMORY.md
Review memory changes, keep backups or diffs, and require confirmation before deleting or promoting information into long-term memory.
The agent may contact the user or perform background checks more often than expected if heartbeat scheduling is enabled.
Periodic proactive behavior is disclosed and central to the skill, but users should notice that the skill encourages ongoing autonomous check-ins.
Things to check (rotate through these, 2-4 times per day) ... When to reach out ... It's been >8h since you said anything
Set explicit quiet hours, check frequency, allowed tasks, and a simple way to disable heartbeat behavior.