Heartbeat Kit
ReviewAudited by ClawScan on May 1, 2026.
Overview
The kit is an instruction-only heartbeat-template package with no code or exfiltration evidence, but users should review its recurring email/calendar access and raw Markdown comments before use.
Before installing, inspect the raw Markdown template, confirm which email and calendar accounts your agent can access, customize the variables and quiet hours, and remove HEARTBEAT.md when you no longer want recurring background checks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the agent may repeatedly read private email subjects and calendar details.
The heartbeat template directs the agent to access email and calendar data, which are private account resources. This is aligned with the skill's monitoring purpose, but it depends on whatever account access the user's agent has.
- Check for unread emails ... - Check events in next 24 hours
Only use this with email/calendar connectors you trust, limit the accounts available to the agent, and customize priority senders, keywords, and calendar scope.
The agent can continue checking configured sources on a schedule without a fresh request each time.
The skill is designed for recurring background heartbeat activity. This is disclosed and core to the purpose, but it means the instructions continue running after setup.
Your OpenClaw agent has a heartbeat system — periodic check-ins where it can do background work.
Set an appropriate heartbeat interval, review quiet hours, and remove or edit HEARTBEAT.md when you no longer want background checks.
Non-rendered text could affect how the agent interprets the heartbeat template if copied raw.
The active Markdown template contained hidden comment blocks in the provided artifact representation. Hidden Markdown comments can be read by agents that process raw files even if they are not visible in rendered Markdown.
"hiddenCommentBlocksRemoved": 6
Inspect the raw template file before using it and remove any hidden comments or instructions you do not want the agent to follow.
Users may expect files or workflows that are not included in this package.
The skill documentation lists multiple template files, but the provided manifest includes only templates/combined-lite.md. This is a package/documentation mismatch rather than evidence of malicious behavior.
| `email-check.md` | Check unread emails, surface urgent ones | ... | `combined-full.md` | Everything above, rotated across heartbeats |
Verify the installed files and do not fetch missing templates from untrusted sources.
Private summaries could persist locally and be visible to anyone with access to the workspace or agent history.
The README acknowledges local processing/storage. Combined with email/calendar summaries, users should assume sensitive heartbeat outputs may remain in local agent logs or workspace state.
This software processes and stores data locally on your system.
Keep the workspace private, avoid overly detailed summaries, and clear local logs or history if they contain sensitive information.