ClawHub

Heartbeat Cron

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent, but it helps set up recurring agents that can run commands, mutate accounts, send data externally, and includes an unsafe Docker cleanup example.

Install only if you intentionally want recurring autonomous agent workflows. Review the exact HEARTBEAT.md before testing or registering it, avoid `permissions: skip` and `danger-full-access` unless necessary, use scoped tokens or dedicated accounts, prefer report-only or dry-run behavior for cleanup and account changes, and know how to stop or remove the murmur daemon schedule.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to execute shell commands such as `which murmur`, `brew install`, `git clone`, `bun install`, `murmur beat`, and `murmur init`, but the skill metadata does not declare permissions or warn clearly about command execution. This creates a capability/permission mismatch that can lead to unexpected local system changes and makes review and policy enforcement harder.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill expands from drafting a heartbeat file into conducting web searches for CLIs, MCP servers, and third-party skills, which broadens trust boundaries and can steer the agent toward installing or depending on unreviewed tools. This is dangerous because a seemingly narrow authoring skill becomes a software-recommendation and acquisition workflow with increased supply-chain and prompt-injection exposure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill tells the agent to install murmur via Homebrew or from source and to scaffold workspaces, which exceeds a simple file-creation role and causes direct system modification. Installation from source and package managers introduces supply-chain risk and can alter the host environment without explicit, separate authorization.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Directing the agent to search the web for CLIs, MCP servers, and community skills exposes it to untrusted content and increases the chance of recommending malicious tools or following adversarial instructions embedded in websites. In the context of a scheduler-setup skill, this extra browsing capability materially raises attack surface beyond what is needed to create a heartbeat file.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The example includes an operational action that can delete Docker resources (`docker system prune -f`) rather than merely drafting or registering a HEARTBEAT.md. In a scheduling skill, this meaningfully increases risk because a user may adopt the example verbatim and cause unintended data loss or service disruption on recurring execution.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This test models a generated heartbeat that goes beyond passive monitoring and can modify repository state by applying labels to issues. In a skill whose stated role is to interview, draft, test, and register scheduled prompts, embedding autonomous repo-changing behavior expands the operational scope and increases the chance that scheduled jobs perform unintended write actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
These test scenarios validate generalized delivery commands that can send data to Slack, Telegram, GitHub, ntfy, or files, which effectively demonstrates command-execution and exfiltration-capable patterns broader than simple HEARTBEAT.md authoring. In an agent skill context, normalizing arbitrary outbound command templates increases risk because generated heartbeats may later run unattended on a schedule with access to tokens and monitored data.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The tested configuration explicitly permits a network-enabled codex agent with workspace-write access, which materially expands what scheduled executions can do beyond interview/setup assistance. When combined with recurring automation, network access plus write permissions can enable broad data access, external transmission, and persistent changes if the generated heartbeat or prompt is unsafe.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script appends untrusted CLI arguments to a single command string and passes that string to execSync, which invokes a shell. An attacker can supply shell metacharacters through remainingArgs to execute arbitrary commands on the machine running the tests, so this is a real command injection issue even in a developer-facing test runner.

Vague Triggers

Medium
Confidence
76% confidence
Finding
Broad triggers like 'monitor', 'watch', and 'automate' can cause the skill to activate in contexts where the user did not intend recurring shell-driven automation. Unintended invocation matters here because the skill can create files, register jobs, and recommend installations, amplifying the consequences of misrouting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to create or modify HEARTBEAT files and register workspaces in `~/.murmur/config.json` without an explicit user-facing warning about filesystem and configuration changes. Silent persistence is risky because it can establish recurring automated execution and alter global scheduler state in ways the user may not fully anticipate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`docker system prune -f` forcefully removes unused Docker data and can delete images, networks, build cache, and stopped containers without prompting. Embedding that in a recurring automation example without a strong warning or explicit consent creates a realistic risk of silent, repeated destructive cleanup and loss of operational state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The example sends issue data to an external Slack webhook without any visible user disclosure, consent checkpoint, or warning about outbound transmission. In a scheduling/automation context, this matters because users may enable recurring execution and unintentionally exfiltrate potentially sensitive issue titles or security-related metadata to third-party systems on a repeated basis.

External Transmission

Medium
Category
Data Exfiltration
Content
const delivery = {
        type: 'slack',
        webhookUrl: '$SLACK_WEBHOOK_URL',
        command: `curl -X POST -H 'Content-Type: application/json' -d '{"text":"..."}' $SLACK_WEBHOOK_URL`
      };
      
      expect(delivery.type).toBe('slack');
Confidence
94% confidence
Finding
curl -X POST -H 'Content-Type: application/json' -d '{"text":"..."}' $SLACK_WEBHOOK_URL` }; expect(delivery.type).toBe('slack'); expect(delivery.command).toContain('curl');

External Transmission

Medium
Category
Data Exfiltration
Content
type: 'telegram',
        token: '$TELEGRAM_TOKEN',
        chatId: '$CHAT_ID',
        command: `curl -s "https://api.telegram.org/bot$TELEGRAM_TOKEN/sendMessage" -d "chat_id=$CHAT_ID&text=..."`
      };
      
      expect(delivery.type).toBe('telegram');
Confidence
94% confidence
Finding
https://api.telegram.org/

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: heartbeat-cron
description: >
  Create and refine HEARTBEAT.md files for murmur — a CLI daemon that runs
  scheduled Claude prompts on a cron or interval schedule. Use this skill when
  the user wants to set up a recurring automated action (e.g., "monitor my
  GitHub issues", "check Hacker News for AI articles", "watch my endpoints",
Confidence
85% confidence
Finding
Create and refine HEARTBEAT.md files for murmur — a CLI daemon that runs scheduled Claude prompts on a cron or interval schedule. Use this skill when the user wants to set up a recurring automated

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal