Back to skill
Skillv1.0.1
ClawScan security
Sport Mode · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:25 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says: it toggles OpenClaw's heartbeat frequency and writes a HEARTBEAT.md task file; its requirements and behavior are internally consistent.
- Guidance
- This skill is coherent but makes live changes to your OpenClaw configuration and workspace files. Before installing: (1) confirm you have the openclaw CLI available and test `openclaw config` manually; (2) back up ~/.openclaw/openclaw.json so you can restore defaults; (3) prefer using OPENCLAW_WORKSPACE if you don't want HEARTBEAT.md in your current directory; (4) always include an explicit termination condition in the task (e.g., run `sport-mode off`) to avoid indefinite high-frequency polling; (5) be aware that letting an agent inspect tmux panes or workspace files can expose terminal output or other local data — grant that capability only if you trust the agent and task. If you want stricter control, run the script manually rather than allowing autonomous agent invocation.
Review Dimensions
- Purpose & Capability
- okThe name/description, README, SKILL.md, and the included script all align: the skill changes the agent heartbeat and writes/clears HEARTBEAT.md. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- noteRuntime instructions and the script explicitly patch OpenClaw configuration (via `openclaw config set`) and create/overwrite HEARTBEAT.md in the workspace. The SKILL.md additionally recommends patterns like using tmux and letting the agent read/update HEARTBEAT.md; those recommendations imply the agent may access terminal output or workspace files (which is expected for a monitoring helper) but are outside the provided script itself. Users should be aware this skill modifies config and workspace files.
- Install Mechanism
- okNo install spec or external download is present — this is instruction-only plus a local script. Nothing is fetched from external URLs or written to nonstandard locations by an installer.
- Credentials
- okThe skill declares no required credentials or env vars. The script references HOME and an optional OPENCLAW_WORKSPACE (a reasonable, documented override) but does not request secrets. The single impactful action is changing the global heartbeat setting via the OpenClaw CLI, which is proportional to the stated purpose.
- Persistence & Privilege
- noteThe skill does modify global OpenClaw configuration (agents.defaults.heartbeat.every) while active, which affects system-wide heartbeat cadence. It is not always-enabled and does not alter other skills' configs, but this global config change can increase resource/activity and should be used with explicit termination conditions to avoid prolonged high-frequency checks.