Security audit

Workspace Heartbeat Integration

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs disclosed local heartbeat logging, but its installer can publish the package through the user's ClawHub account during what appears to be a local install.

Review install.sh before running it. Install through the normal ClawHub flow when possible, and do not run the bundled installer unless you understand and approve the publish command and the config overwrite. Treat heartbeat logs as persistent memory: avoid logging secrets and periodically review what is written under the workspace memory directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The trigger conditions are broad enough that an agent could invoke this skill during many routine workflows without a clear user request or narrow scope. Because the skill is designed to read and write workspace state, ambiguous activation increases the chance of unintended file modifications, excessive logging, or propagation of sensitive work context into memory files.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The installer unconditionally writes a new config.json using shell redirection, which will overwrite any existing user configuration without prompting, backup, or merge behavior. This can destroy user preferences or safety-related settings and may cause the tool to run with defaults the user did not intend.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal