ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pilot Heartbeat Monitor

v1.0.0

Detect agent failures and trigger automatic task redistribution or re-election. Use this skill when: 1. You need to detect when swarm members become unreacha...

0· 94·0 current·0 all-time
byCalin Teodor@teoslayer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (heartbeat/failure detection and failover) align with the runtime instructions: publish heartbeats, read inbox, detect timeouts, and ping peers via pilotctl. Required binary pilotctl and dependency on a pilot-protocol skill are appropriate.
Instruction Scope
Instructions are concrete and limited to heartbeat publication, inbox inspection, and direct ping verification. However the SKILL.md references environment variables (e.g., $AGENT_ID, $SWARM_NAME, $REGISTRY_HOST) and tooling (jq, bc) that are not declared in the skill metadata; it also assumes a registry endpoint and pilotctl daemon context without specifying auth or expected network boundaries.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by the installer. Risk from installation is low.
!
Credentials
The skill declares no required environment variables or credentials, yet the commands depend on several variables (AGENT_ID, SWARM_NAME, REGISTRY_HOST) and will likely require authentication to publish/read from a registry in real deployments. The skill does not request or document any credentials or how pilotctl authenticates, which is a gap: users might need to supply tokens or other secrets elsewhere but the skill gives no guidance.
Persistence & Privilege
The skill is not always:true, does not request persistent system changes, and is user-invocable only. It does not attempt to modify other skills or system-wide config in the instructions.
What to consider before installing
This skill appears to do what it says (heartbeat publication and failure detection) but there are gaps you should clarify before installing or running it: - Ensure pilotctl is a trusted binary on PATH and you understand how it authenticates to the registry (the SKILL.md assumes you can publish and read messages but doesn't declare required credentials or how to provide them). - The instructions use environment variables ($AGENT_ID, $SWARM_NAME, $REGISTRY_HOST) that are not declared in the skill metadata—decide how you will set these and whether any of them contain sensitive values. - Confirm the network and privacy implications of publishing heartbeats to the registry and of pinging peers (these actions expose agent IDs and addresses on the network). - Verify the presence and provenance of tooling the scripts call (jq, bc) and run the commands in a restricted/test environment first. - Note the skill is licensed AGPL-3.0; if you embed or modify it, that license may affect redistribution of your modified skill. If you need a cleaner security posture, request the author to: declare required env vars and any credentials, document authentication flows for pilotctl/registry, and state expected network/trust boundaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk971j1x3n5b5t3tvsm2dyrfg7h84ghj9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspilotctl

Comments