Heartbeats
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: heartbeats Version: 1.0.0 The skill bundle (specifically SKILL.md) provides instructions that encourage high-risk autonomous behavior, such as 'Commit and push your own changes' and strictly following instructions from a workspace file (HEARTBEAT.md). This configuration creates a significant surface for indirect prompt injection and unauthorized repository modification. While framed as productivity and 'memory maintenance' features, the lack of guardrails for autonomous git operations and the instruction to prioritize external file content over session context represent a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A stale or modified HEARTBEAT.md file could steer future agent behavior during background checks.
This makes a workspace file a strict instruction source during autonomous heartbeat runs, without stating that it must remain subordinate to current user intent or require review for sensitive actions.
Read HEARTBEAT.md if it exists (workspace context). Follow it strictly.
Treat HEARTBEAT.md as a limited checklist, not an overriding instruction source; require user confirmation before sensitive or high-impact actions.
The agent could make unwanted changes to a project or push them to a shared remote repository.
The skill explicitly authorizes repository/documentation mutation and remote pushes without asking, but does not define scope, branch controls, diff review, rollback, or user approval.
Proactive work you can do without asking: ... Update documentation ... Commit and push your own changes
Require explicit user approval before file mutations, commits, or pushes, and limit actions to user-specified repositories and branches.
The agent may read sensitive communications or account notifications more broadly than the user expects.
These checks imply access to personal or work accounts, but the artifacts do not specify which accounts, credentials, scopes, folders, calendars, or notification sources are allowed.
Things to check ... Emails - Any urgent unread messages? Calendar - Upcoming events in next 24-48h? Mentions - Twitter/social notifications?
Only connect explicitly chosen accounts and scopes, and document exactly what the agent may read and when.
Incorrect, sensitive, or poisoned memory could persist across tasks, and useful memory could be removed without the user noticing.
The skill directs the agent to write persistent state and modify long-term memory during background heartbeats, including deleting information, without clear user review or retention boundaries.
Track your checks in memory/heartbeat-state.json ... Update MEMORY.md with distilled learnings ... Remove outdated info from MEMORY.md
Require reviewable diffs or confirmation for MEMORY.md edits and deletions, and define what memory files may be read or updated.
The agent may perform periodic checks or send reminders without a live conversation open.
Recurring heartbeat/cron behavior is central to the stated purpose, but users should notice that the skill encourages autonomous tasks and messages outside the main session.
Use cron when ... Output should deliver directly to a channel without main session involvement
Configure heartbeat and cron schedules deliberately, and keep autonomous tasks narrow and reversible.