ClawHub

Sport Mode

Security checks across malware telemetry and agentic risk

Overview

Sport Mode does what it says: it changes OpenClaw’s heartbeat frequency and writes a monitoring task file, but users should understand that this affects active agent behavior.

Install only if you want OpenClaw to wake more frequently for a specific task. Back up or review any existing HEARTBEAT.md first, include a clear stop condition, run sport-mode off when finished, and do not put secrets or untrusted instructions in the task text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that the skill will hot-patch `openclaw.json`, create or overwrite `HEARTBEAT.md`, and later clear that file, but it does not prominently warn users about destructive local changes or possible loss of existing task state. In an agent skill context, undocumented overwrite behavior is risky because users may invoke the command conversationally and not realize local files or configuration will be modified automatically.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill explicitly instructs the agent to modify a live user configuration file and to overwrite or clear HEARTBEAT.md, but it does not present these as potentially destructive state changes or require explicit confirmation before doing so. In an agent setting, silent file mutation can surprise users, erase task state, or cause persistent monitoring behavior changes that outlive the immediate task.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script unconditionally overwrites HEARTBEAT.md using shell redirection, which can destroy existing user content in the workspace without confirmation, backup, or merge behavior. Because the target path is influenced by OPENCLAW_WORKSPACE and defaults to the current directory, this side effect is easy to trigger during normal use and can cause unintended data loss.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persistently changes the OpenClaw heartbeat configuration with `openclaw config set`, but does not clearly disclose that it is modifying long-lived agent defaults beyond the current invocation. This can silently alter monitoring behavior for future tasks, leading to unexpected resource usage, operational confusion, or weakened monitoring if the user assumes the change is temporary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal