Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Heartbeat
v1.0.0Unified heartbeat system for OpenClaw agents. Runs parallel health checks, data collectors, and state monitors in one command. Returns a single actionable su...
⭐ 0· 101·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the implementation: the script reads a config and runs configured collectors/health checks in parallel and produces a summary. No unexpected external services, packages, or credentials are declared as required.
Instruction Scope
SKILL.md and the script instruct the agent to read heartbeat.yaml from the workspace and run arbitrary commands (via shell). The script executes those commands with shell: true and inherits process.env, so collectors can call arbitrary network endpoints, run local scripts, read arbitrary workspace files, and include environment variables or inline credentials. The instructions also suggest wiring into cron and running unattended, increasing the blast radius.
Install Mechanism
No install spec — instruction-only with an included Node.js script. Nothing is downloaded from the network by an installer. The risk surface is limited to what the script does at runtime, not an external installer.
Credentials
The skill declares no required env vars but the code runs commands with the full process.env and the docs show examples that use environment variables (e.g., $EMAIL_KEY, $TG_KEY) and header-based API keys. This means the skill can access any secrets present in the agent's environment or config and can send them out via curl or other commands defined in heartbeat.yaml. The lack of declared env requirements is not a protection — it only hides that the script will have access to all env vars.
Persistence & Privilege
always:false (normal). The script writes output and cache files (default research/latest.md and .heartbeat-cache/). Writing to the workspace is expected for a heartbeat, but because collectors are arbitrary commands they could write elsewhere or modify files. The ability for the agent to invoke the skill autonomously (disable-model-invocation:false) combined with cron wiring increases potential for unattended actions; this is expected but relevant to risk.
What to consider before installing
This skill runs whatever shell commands you put in heartbeat.yaml and does so with the agent's full environment and filesystem access. Before installing or scheduling it: 1) audit every heartbeat.yaml you will use — do not include commands that reference unknown URLs or inline keys; 2) remove any sensitive credentials from the agent environment or use dedicated low-privilege service accounts for monitored endpoints; 3) run the script in an isolated environment (container or VM) first to observe behavior; 4) avoid enabling cron/autonomous runs until you trust the config and code; 5) if you must run on a host with secrets, constrain collectors to safe wrappers (or whitelist allowed commands) so they cannot read arbitrary files or exfiltrate data. If you want, I can scan your heartbeat.yaml or the specific collector commands for risky patterns and suggest safer alternatives.scripts/heartbeat.js:89
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
agentsvk97dph30ksnv83sdvfax9b57rn832zctheartbeatvk97dph30ksnv83sdvfax9b57rn832zctlatestvk97dph30ksnv83sdvfax9b57rn832zctmonitoringvk97dph30ksnv83sdvfax9b57rn832zct
License
MIT-0
Free to use, modify, and redistribute. No attribution required.