ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workspace Heartbeat Integration

v1.0.0

Automates synchronized logging of work sessions, heartbeat state updates, and daily summaries by integrating HEARTBEAT.md, heartbeat-state.json, and workspac...

0· 90·0 current·0 all-time
by@utopiabenben
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality (logging, syncing heartbeat-state.json, reading MEMORY.md/TASK_BOARD.md) matches the skill description. However the code hardcodes WORKSPACE = /root/.openclaw/workspace while SKILL.md and install.sh refer to ~/.openclaw/workspace and the install writes user configs to ${HOME}. The hardcoded root path is unnecessary for the stated purpose and is an inconsistency that could cause unexpected access to root-owned files if run as root.
!
Instruction Scope
SKILL.md instructs only local workspace file operations (sync, log, report). The implementation does those things, but SKILL.md claims 'Thread-safe: Uses file locks' while integration.py contains no file-locking implementation. The code reads and writes workspace files (heartbeat-state.json, daily memory files, TASK_BOARD.md) and will create config/state files; nothing in the README directs network exfiltration, but the file-system targets and missing locking are scope and correctness concerns. Tests and SKILL.md suggest configurable workspace path, but the code uses a fixed Path constant.
Install Mechanism
No external downloads or third-party package installs; install.sh is local and creates a symlink to source/integration.py in ${HOME}/.local/bin and writes a default config to ${HOME}/.config/workspace-heartbeat-integration/config.json. The script optionally attempts to publish via a local clawhub CLI if present. This is low risk compared to remote downloads, but it modifies PATH-accessible binaries (symlink) and writes config/state files.
!
Credentials
The skill declares no required credentials or env vars, which is appropriate. However, the code's hardcoded workspace path (/root/.openclaw/workspace) and skill.json's configPaths mismatch the documentation (which uses ~/.openclaw/workspace). Tests attempt to override WORKSPACE via an env var but the module doesn't honor it; instead tests mutate object attributes. This mismatch increases the chance of accidental access to unexpected filesystem locations and is disproportionate to the simple task of per-user workspace logging.
!
Persistence & Privilege
The skill does not set always:true and does not request elevated privileges in metadata, which is good. However, by default the runtime code writes state into /root/.openclaw/workspace (and install.sh writes config to the invoking user's ${HOME}), so if run as root it could persist data to root's workspace. The skill does not modify other skills or system-wide configs beyond creating a symlink and config files, but the hardcoded root path combined with file writes is a notable privilege/persistence concern.
What to consider before installing
Things to check before installing or running this skill: - Do not run install.sh or the integration as root unless you intentionally want it to operate over /root/.openclaw/workspace. The code hardcodes WORKSPACE = /root/.openclaw/workspace; change it to use your HOME or a configurable path if you want per-user behavior. - The SKILL.md claims file-locking/thread-safety but the Python code contains no locking; if you run the CLI concurrently you may get race conditions. Review/implement file locks (e.g., fcntl or lockfiles) if concurrent runs are possible. - The install script creates a symlink in ~/.local/bin pointing directly at the source Python file. Confirm that the location of the skill directory is trustable and that the symlink is acceptable for your environment. - The skill writes state and logs locally (heartbeat-state.json, daily memory files). Inspect the code to ensure no sensitive files will be read by the simple glob/reads it performs (it only targets memory/YYYY-MM-DD files and TASK_BOARD.md, but the hardcoded workspace path may expose other files if paths are changed). - If you want to use this skill safely: edit integration.py to derive WORKSPACE from environment or a passed config path (e.g., use os.environ['HOME'] or the config file), add explicit file-locking, and test in an isolated directory first. - If you are uncertain, run the included tests in a sandboxed environment (non-root temp dir) after patching the WORKSPACE constant or injecting a proper config_path. Overall: the skill is not obviously malicious, but the path/lock inconsistencies and install-time filesystem writes make it suspicious until you confirm and possibly fix those issues.

Like a lobster shell, security has layers — review code before you run it.

latestvk972m3j1vvec4bdndahex2evr9836rmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments