skill-heartbeat-memory

Security checks across malware telemetry and agentic risk

Overview

This skill openly saves OpenClaw conversation summaries into workspace memory files, which is privacy-sensitive but matches its stated purpose.

Install only if you want OpenClaw sessions summarized into long-lived workspace files. Review ./memory/ and ./MEMORY.md regularly, avoid using it on sessions with secrets or regulated data, consider disabling filesystem scanning for deleted sessions, and back up files before following troubleshooting steps that delete config or HEARTBEAT.md.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (24)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 72% confidence
Finding: The skill documentation indicates capabilities beyond a simple passive memory helper, including environment/config awareness, but it does not declare permissions or clearly scope what it reads. Undeclared capability use reduces transparency and can cause the agent to access configuration or environment-derived context without informed user approval.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The declared purpose is memory preservation, but the documented behavior also includes editing HEARTBEAT.md, reading ~/.openclaw/openclaw.json, invoking CLI commands to inspect agents/workspaces, and sending notifications. This mismatch is dangerous because users may install it expecting local note generation while it also modifies orchestration files and inspects broader system/workspace state.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The skill sends completion notifications via message/Feishu and auto-discovers a user target from feishu_get_user or session identifiers, which expands data flow beyond the stated memory-saving purpose. Even though the message body is short, this creates an unnecessary outbound communication channel that can disclose activity metadata such as session counts, execution timing, and user linkage to external recipients.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README prominently advertises automatic scanning of sessions and writing summaries to persistent memory files, but it does not clearly warn users that conversation contents may be copied, retained, and exposed in new files. In a memory/archival skill, this omission materially increases privacy risk because users may enable Heartbeat without understanding the retention implications.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Documenting backup of deleted sessions without a strong warning is dangerous because it can preserve data users intentionally removed, undermining deletion expectations and potentially violating privacy or retention policies. In this skill's context, automatic archival makes the risk more serious because the feature is continuous and background-triggered.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill prominently advertises automatic creation and modification of memory files and backup handling, but it does not clearly foreground the risk of persistent user data changes or retention side effects. In a periodic background task, silent persistence can capture sensitive conversation content and make deletion expectations unreliable.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Automatic maintenance of HEARTBEAT.md means the skill edits a user/workspace control document as part of normal operation. Modifying scheduler/task documentation automatically can mislead operators, overwrite intent, or create a persistence foothold if users do not realize the file is being changed in the background.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The sample explicitly describes automatic generation and incremental updating of Daily notes, but it does not warn users that the skill may create or modify files based on conversation content. In a memory-preservation skill, silent persistence of user interactions increases privacy and consent risk because users may not realize their data is being written to disk and continuously updated over time.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The core workflow reads session transcripts, summarizes them, and writes persistent daily notes and MEMORY.md without any clear consent gate, notice, or per-session exclusion mechanism. Because transcripts may contain sensitive user content, this materially increases privacy risk and can turn ephemeral conversation data into durable, searchable records that are easier to leak or misuse.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation explicitly states that the skill can scan the filesystem and recover/process deleted sessions, but it does not disclose the privacy implications, consent expectations, retention behavior, or data-scope boundaries. In a memory-preservation skill, this increases the risk of collecting sensitive user content beyond what users reasonably expect, especially for deleted or historical sessions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document explicitly enables scanning the file system and processing session data but does not provide any privacy notice, consent guidance, scope limitation, or warning about sensitive data exposure. In a memory/archival skill, this can lead operators to unknowingly collect and persist confidential workspace content, chat history, or deleted-session artifacts beyond user expectations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The troubleshooting guide instructs users to delete `./memory/heartbeat-memory-config.json` to recover from errors, but it does not warn that local configuration changes will be lost and that regenerated defaults may alter behavior. Even though the path is scoped to the workspace, destructive commands in operational docs are risky because users may execute them reflexively during debugging.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document recommends deleting `./HEARTBEAT.md` without clearly warning that any manually added local content may be lost. Because this is a top-level user-visible file, users may assume it is fully generated when in practice it may contain edits worth preserving.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code forwards selected session content, including user and assistant messages plus prior summary context, to sessions_spawn for LLM/subagent processing without any visible consent, disclosure, or sensitivity filtering in this file. In a memory-saving skill, that creates a real privacy risk because potentially sensitive conversation content may be transmitted to another processing component and persisted indirectly through summaries.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The README describes a system that persistently collects session content and condenses it into memory artifacts, which creates a real data retention surface even without code shown here. In this context, the skill's purpose is to continuously transform conversational data into durable files, so the privacy and inadvertent disclosure risk is inherent and not merely theoretical.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The feature list encourages broad automatic scanning, tracking, and recording of session contents, normalizing retention of potentially sensitive conversations. Because the skill is designed for unattended periodic execution, this increases the chance that secrets, personal data, or internal discussions will be stored longer and more widely than users expect.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The incremental update design specifically aims to keep capturing newly added conversation content over time, which strengthens the persistence and surveillance-like aspects of the skill. In a background Heartbeat workflow, this can continuously accumulate sensitive user data into summaries and state files with little ongoing user awareness.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The skill is intentionally designed to retain and summarize session content into persistent memory files, which creates a real confidentiality risk if those notes contain secrets, personal data, or sensitive business context. In this skill context the behavior is expected, but that context does not remove the risk because persistence broadens exposure and retention beyond the original chat surface.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The summarization task explicitly instructs a subagent to process raw session content and extract key details into structured output for storage. That is not inherently malicious, but it creates a concrete disclosure pathway where sensitive user-provided content is re-expressed and persisted, potentially amplifying leakage if prompts, outputs, or subagent logs are exposed.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The incremental summarization flow explicitly instructs an LLM to analyze prior summaries and newly collected user conversation content, then extract persistent decisions and topics for storage, without any semantic restrictions on sensitive material. In a memory skill, this is especially dangerous because it can normalize long-term retention of secrets, personal data, credentials, or confidential project information from ordinary conversations.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: openclaw gateway restart # 4. 重建配置文件（相对于当前工作区） rm ./memory/heartbeat-memory-config.json ``` > 💡 **路径说明：** 故障排查命令中的路径都是相对于当前工作区（`./`）。在工作区目录下执行即可，无需指定完整路径。
Confidence: 88% confidence
Finding: rm ./memory/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: openclaw gateway restart # 方案 2：重建配置文件（相对路径，在工作区目录下执行） rm ./memory/heartbeat-memory-config.json # 下次执行时会自动重建 # 方案 3：重新安装 Skill
Confidence: 94% confidence
Finding: rm ./memory/

Tool Parameter Abuse

High

Category: Tool Misuse
Content: # 确保当前用户有写权限 # 方案 3：手动删除 HEARTBEAT.md，下次执行时会自动创建（相对路径） rm ./HEARTBEAT.md ``` ---
Confidence: 95% confidence
Finding: rm ./

Tool Parameter Abuse

High

Category: Tool Misuse
Content: ```bash # 方案 2：删除配置，让 Skill 重新检测（相对路径） rm ./memory/heartbeat-memory-config.json # 下次执行时会自动检测 # 方案 3：删除 configHash（触发重新同步）
Confidence: 94% confidence
Finding: rm ./memory/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal