Device Heartbeat Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill installs a disclosed user-level heartbeat monitor for healthchecks.io, with expected background persistence and no evidence of hidden or unrelated behavior.

Install this only on a device you intentionally want monitored. Treat the healthchecks.io ping URL like a secret, use a read-only API key for remote checks, avoid pasting secrets into shared shells or logs, and run the provided uninstall script when you no longer want the background LaunchAgent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill exposes shell execution paths (`bash scripts/...`, `tail`, `cat`) but does not declare any permissions or capability boundaries. That mismatch can cause the agent or reviewer to underestimate what the skill can do, increasing the chance of unintended command execution or unsafe deployment in environments that rely on declared permissions for trust decisions.

Description-Behavior Mismatch

Medium

Confidence: 79% confidence
Finding: When no CHECK_UUID is supplied, the script returns the full list of Healthchecks checks rather than limiting itself to a single device status lookup. In the context of a device-heartbeat skill, this broadens data access beyond the apparent task and can expose metadata about all monitored devices or services if the caller provides a valid API key.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation description includes broad, everyday phrases like 'is my Mac online', 'ping my device', and general network-connectivity wording, which could trigger the skill in ambiguous contexts. Because this skill can lead to shell commands, setup actions, log reads, and external API interactions, over-broad activation raises the risk of unintended execution and exposure of device-monitoring data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script accepts an API key as a command-line argument and sends it in an HTTP header to an external service. Passing secrets on the command line is risky because they may be exposed via shell history, process listings, logs, or orchestration tooling, and the skill provides no warning or safer handling mechanism.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script silently creates and loads a per-user LaunchAgent that will run automatically at login and be kept alive, establishing persistence without any interactive warning or confirmation. In a monitoring skill, persistence may be functionally intended, but making an autostart system change without explicit user consent is risky because it can surprise users, broaden attack surface, and make later abuse harder to notice.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup ### 1. Create a Check on healthchecks.io Register at https://healthchecks.io, create a Check. Set Period = 3 min, Grace = 5 min. See `references/healthchecks-setup.md` for details.
Confidence: 72% confidence
Finding: Create a Check on healthchecks.io Register at https://healthchecks.io, create a Check. Set Period = 3 min, Grace = 5 min. See `references/healthchecks-setup.md` for details. ### 2. Install heartbeat

Session Persistence

Medium

Category: Rogue Agent
Content: PING_URL="${1:?Usage: setup.sh <PING_URL> [INTERVAL_SECONDS]}" INTERVAL="${2:-180}" LABEL="ai.openclaw.device-heartbeat" PLIST_PATH="$HOME/Library/LaunchAgents/${LABEL}.plist" SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" HEARTBEAT_SCRIPT="${SCRIPT_DIR}/heartbeat.sh" LOG_DIR="$HOME/.openclaw/logs"
Confidence: 92% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: PING_URL="${1:?Usage: setup.sh <PING_URL> [INTERVAL_SECONDS]}" INTERVAL="${2:-180}" LABEL="ai.openclaw.device-heartbeat" PLIST_PATH="$HOME/Library/LaunchAgents/${LABEL}.plist" SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" HEARTBEAT_SCRIPT="${SCRIPT_DIR}/heartbeat.sh" LOG_DIR="$HOME/.openclaw/logs"
Confidence: 92% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: # 停止已有的服务 launchctl bootout "gui/$(id -u)/${LABEL}" 2>/dev/null || true cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
Confidence: 95% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key>
Confidence: 91% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key>
Confidence: 91% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: cat > "$PLIST_PATH" << EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>${LABEL}</string>
Confidence: 91% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: <key>Nice</key> <integer>10</integer> </dict> </plist> EOF launchctl bootstrap "gui/$(id -u)" "$PLIST_PATH"
Confidence: 95% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: </plist> EOF launchctl bootstrap "gui/$(id -u)" "$PLIST_PATH" echo "✅ Heartbeat service installed and started" echo " Plist: $PLIST_PATH"
Confidence: 97% confidence
Finding: PLIST

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal