ClawHub

Heartbeat Tasks

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about its heartbeat purpose, but it asks an agent to run recurring crypto trades and modify persistent memory without clear safety limits or approval controls.

Install only if you intentionally want an agent to manage scheduled trading and persistent memory tasks. Before use, keep trading in paper mode or require explicit confirmation for each live order, set strict account and position limits, scope any exchange credentials tightly, and back up MEMORY.md, trading_rules.md, and heartbeat-state.json.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs archival, cleanup, and memory file modification actions that can alter or delete user data, but it provides no confirmation step, backup requirement, or warning about irreversible impact. In an agent setting, this creates a real risk of unintended data loss or silent corruption if the heartbeat runs automatically on schedule.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill describes an automated trading loop that fetches market data, obtains an AI decision, validates rules, and executes trades, yet it includes no warning, approval gate, position limits, or fail-safe controls. Because this is framed as a periodic heartbeat task, it increases the chance of unattended financial actions and repeated losses if the agent misfires, is manipulated, or operates on bad data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal