ClawHub

heartbeat-scanner

v2.0.0

Validate your agent nature through SHACL-based heartbeat analysis. Are you an Agent, Human, Cron, or Hybrid? Self-classification tool with structural validat...

0· 633·0 current·0 all-time
by@darshanochandak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and files: Python + SHACL + RDFlib code implements a local Turtle-profile validator and classifier. No unexpected binaries, cloud APIs, or credentials are requested.
Instruction Scope
SKILL.md and README only instruct running the local Python scanner against a .ttl profile. However, the pre-scan detected 'unicode-control-chars' in SKILL.md (prompt-injection pattern). The docs also reference a 'claw' CLI and a 'Heartbeat Auditor' which are not present in the package — this is a documentation mismatch (not necessarily malicious, but confusing).
Install Mechanism
No install spec in registry; this is effectively instruction+code. requirements.txt lists rdflib and pyshacl (expected for RDF/SHACL processing). No remote download URLs or extract/install steps were found.
Credentials
The skill requests no environment variables, no credentials, and accesses only local files passed by the user. Declared inputs are proportionate to its purpose.
Persistence & Privilege
always is false and the code does not attempt to modify other skills or system config. It performs only local parsing/validation/classification.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contains detected unicode control characters. This is not expected for a simple README/instruction file and can be used to hide or manipulate rendered text (prompt-injection / obfuscation). The rest of the code does not show network/credential exfiltration patterns, so this is likely an attempt to obfuscate content rather than evidence of runtime exfiltration — but it requires inspection.
What to consider before installing
The package appears to implement a local SHACL + classification tool and does not request credentials or network access, which is coherent with its description. However: 1) SKILL.md was flagged for hidden/unusual unicode control characters — open the raw SKILL.md (view bytes) and remove/inspect any invisible characters before trusting its text; these can be used to hide malicious instructions or to try to influence downstream processing. 2) The README mentions a cloud 'Heartbeat Auditor' and a 'claw' CLI that are not present in the code; treat those references as documentation noise and do not assume any automatic cloud sync. 3) Run the scanner in a sandbox or isolated environment first (or inspect shapes_embedded.py and all Python files for any late-added network calls) before running it on sensitive data. 4) If you intend to use this on real user data, validate the code locally (pip install requirements in a virtualenv), run the included unit tests, and review the embedded TTL shapes for any unintended content. If you need higher assurance, ask the publisher for the canonical source repository or a signed release; unknown origin + hidden characters lowers trust.

Like a lobster shell, security has layers — review code before you run it.

agent-classificationvk97a5hfmehnnq0fx9bfbfbzcgd818q69agent-identityvk97a5hfmehnnq0fx9bfbfbzcgd818q69heartbeat-analysisvk97a5hfmehnnq0fx9bfbfbzcgd818q69latestvk97a5hfmehnnq0fx9bfbfbzcgd818q69moltbookvk97a5hfmehnnq0fx9bfbfbzcgd818q69moltxvk97a5hfmehnnq0fx9bfbfbzcgd818q69posting-patternsvk97a5hfmehnnq0fx9bfbfbzcgd818q69self-validationvk97a5hfmehnnq0fx9bfbfbzcgd818q69shacl-validationvk97a5hfmehnnq0fx9bfbfbzcgd818q69

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments