ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-heartbeat-memory

v0.0.7

自动记忆保存 Skill。支持 Heartbeat 自动触发和主 Agent 中手动调用两种方式。自动检查新 sessions,生成 Daily 笔记,定期提炼 MEMORY.md,支持备份已删除的 sessions。

0· 203·0 current·0 all-time
byZeroX@justzerox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (heartbeat-triggered memory saving, daily notes, MEMORY.md refinement) align with the code and docs: index.js, utils/* implement workspace detection, session filtering, incremental summaries and file writes. However, the package contains a post-install script and code that probes several environment variables (OPENAI_API_KEY, ANTHROPIC_API_KEY, DEEPSEEK_API_KEY, etc.) yet the registry metadata lists no required env vars — a mild mismatch worth noting.
!
Instruction Scope
Runtime instructions and the code instruct the skill to read many files under the user's home (~/.openclaw/openclaw.json, workspace directories, AGENTS.md, SOUL.md), scan session transcripts and gateway logs, and create/modify HEARTBEAT.md, ./memory/*, and state/config JSON files. That file I/O is consistent with the feature set, but the scope is broad (reads other workspaces, gateway logs and sessions files), and SKILL.md contains detected prompt-injection patterns (base64/unicode-control) — indicating the documentation itself may include obfuscated content or manipulation attempts. The skill will also run shell commands (execSync('openclaw agents list')), which is expected for workspace discovery but is a runtime capability with risk if executed in unexpected environments.
Install Mechanism
Registry shows no install spec (instruction-only), but the package contains package.json and scripts/post-install.js. That post-install script performs workspace detection, creates directories and config/state files, and prints guidance; it also inspects environment variables for LLM providers. Presence of a post-install script increases the attack surface (it will execute when installed via npm). There are no external arbitrary-download URLs observed in the provided files.
!
Credentials
Metadata declares no required env vars, yet post-install and code check for multiple LLM-related env vars (OPENAI_API_KEY, ANTHROPIC_API_KEY, DEEPSEEK_API_KEY, BAILIAN_API_KEY). The skill also documents notifyTarget values for external channels and may rely on platform-provided session tools. Probing for provider API keys without declaring them is a mismatch: it could be legitimate (skill tries to reuse whatever the host has), but it means the skill will behave differently depending on which secrets exist on the host. Users should not expose unrelated credentials to this skill.
Persistence & Privilege
always:false (no forced global inclusion) and default autonomous invocation are normal. The skill creates/updates files within workspaces (HEARTBEAT.md, ./memory/, MEMORY.md, heartbeat-state.json). That's expected for a memory-saving skill, but it does write to global user paths (~/.openclaw/workspace...) and maintains state across runs — consider this persistence when deciding install scope. It does not appear to change other skills' configs or set an always:true privilege.
Scan Findings in Context
[base64-block] unexpected: A 'base64-block' pattern was detected inside SKILL.md. The skill's purpose (workspace memory saving) does not require embedded base64 payloads; this could indicate obfuscated content or a prompt-injection attempt in the documentation. Inspect SKILL.md for hidden/encoded sections before installing.
[unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These are commonly used to hide/obfuscate or manipulate rendered text (prompt-injection technique). The skill's functional code does not need hidden text in its docs; review and remove such characters if present.
What to consider before installing
What to consider before installing: 1) Review the repository files locally before install. Inspect SKILL.md, scripts/post-install.js, index.js, and utils/*.js for any unexpected URLs, encoded blobs, or obfuscated strings (there are base64/unicode-control indicators in the doc). Remove/clean any hidden characters in SKILL.md. 2) Least privilege: install and test in a disposable or non-production profile/workspace first (or a VM/container) so the skill's filesystem writes (HEARTBEAT.md, ./memory/, MEMORY.md, heartbeat-state.json) don't affect important data. 3) Verify secrets and environment variables: the code probes for multiple LLM API keys even though none are declared in the registry. Ensure you do not have unrelated credentials in your environment that the skill would reuse inadvertently. Prefer running with only the credentials you intend the skill to use. 4) Post-install script: if you install via npm, scripts/post-install.js will run. Read that file and consider running it manually (or not at all) rather than allowing an automated postinstall if you want control over what it writes. 5) Disable automatic heartbeat until you're confident: Heartbeat is disabled by default but SKILL.md recommends enabling it. Keep memorySave.enabled=false or configure processSessionsAfter and maxSessionsPerRun conservatively before enabling automated runs. 6) Notifications and external channels: if you configure notifyTarget (feishu/wechat/telegram), know that the skill can send notifications to external channels configured by you — ensure channel credentials/IDs are correct and that you intend to expose summaries externally. 7) If you are unsure, request the upstream GitHub repo (the SKILL.md references github.com/JustZeroX/skill-heartbeat-memory) and confirm commit history and maintainers. A public, well-reviewed repo increases trust. If you want, I can: (a) point out specific lines in the files that reference env vars, shell execution, or file paths; (b) extract and show any base64 or hidden characters found in SKILL.md for inspection; or (c) suggest a safe minimal configuration to test the skill in a disposable workspace.
index.js:131
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973nb3jd87dtwcqz0gkpxmckd84g9km

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments