ClawHub

Heartbeat Tasks

v1.0.0

Manage and execute periodic heartbeat tasks for trading, memory evaluation, archiving, and reporting with state tracking and anomaly alerts.

0· 341·5 current·6 all-time
by@wuzimaki
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (heartbeat tasks for trading, memory management, archiving, reporting) matches the SKILL.md content. However, the SKILL.md requires actions (fetch market data, 'execute trades', update local state files) that normally require exchange API credentials and explicit config path access; those credentials and config paths are not declared in the registry metadata. This is disproportionate/inconsistent.
!
Instruction Scope
Runtime instructions reference specific local files (/Users/zst/clawd/HEARTBEAT.md and /Users/zst/clawd/memory/heartbeat-state.json) and direct updates to status files. They also instruct executing trades and contacting an AI for trading decisions. The registry lists no config paths or env vars; the SKILL.md therefore tells the agent to read/write user files and perform networked trading actions without documenting those required accesses.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code, which reduces install-time risk (nothing is downloaded or written during install).
!
Credentials
No environment variables, credentials, or primary credential are declared, yet the skill's functionality (trading execution, fetching market data) typically requires API keys/secrets and network access. Additionally, the SKILL.md expects access to specific user file paths but none are listed under required config paths — a mismatch that can hide where sensitive credentials or files must be stored.
Persistence & Privilege
The skill does not request 'always' presence and doesn't claim to modify other skills. Model invocation is allowed (the platform default) which increases autonomy but is not by itself a red flag; combined with the other inconsistencies it warrants caution.
What to consider before installing
This skill's instructions will read and update specific local files and claim to "execute trades," but the package metadata does not list any required config paths or API credentials. Before installing: (1) Ask the publisher to document exactly which API keys, secrets, and config file paths are required and where they must be stored; (2) require that trading execution be disabled by default (or require explicit, documented exchange credentials) so it cannot act on live funds without your clear setup; (3) confirm what market data endpoints it calls and whether any external endpoints receive your data; (4) prefer a version that uses relative/agent-controlled config paths rather than hard-coded /Users/… paths; (5) test in a sandboxed agent without real exchange credentials or sensitive files. Because the source and homepage are unknown, treat this as higher-risk until those clarifications are provided.

Like a lobster shell, security has layers — review code before you run it.

latestvk970v3fktbdk5ftg2kc1t2khb1827cng

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments