ClawHub

Heartbeat Manager

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed heartbeat and task monitor, but it ships with automatic Git push enabled and includes an undisclosed Discord notification path that can reuse an existing OpenClaw token.

Review before installing. Disable git.enabled, git.auto_commit, and git.auto_push unless you explicitly want this skill to commit and push workspace changes to your remote. Add or change discord_notify.enabled to false unless you knowingly want heartbeat status posted to Discord, and do not rely on shared ~/.openclaw credentials for this skill. Only add email, Canvas, or FSP tokens if you are comfortable with the skill reading those services and rewriting workspace status files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requests or documents capabilities equivalent to environment access, file read/write, network access, and shell execution, but does not declare permissions explicitly. That creates a transparency and consent problem: users may install a task-monitoring skill without realizing it can read credentials, modify repository files, contact external services, and invoke system commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose describes heartbeat/task management, but the documented behavior expands into IMAP/SMTP access, Canvas and FSP API access, possible Discord posting, git commit/push, and synchronization of external data into workspace files. This mismatch is dangerous because it can mislead users about the true trust boundary and side effects, leading them to expose inbox contents, API tokens, local repository state, and remote destinations without informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as a heartbeat/status manager, but the configuration enables automatic Git commit and push to a remote repository. That creates an outbound data-transfer capability unrelated to basic heartbeat tracking and can leak workspace contents, status data, or other files if the sync scope is broader than intended.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest does not disclose that the skill can connect to external Canvas and FSP services and synchronize data into the workspace. Hidden or under-disclosed external integrations are risky because they expand the trust boundary, introduce token-handling requirements, and may collect or persist sensitive academic or scheduling data unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Website monitoring for Canvas and FSP is not obviously necessary for a heartbeat-manager and significantly broadens the skill's capabilities beyond task liveness tracking. This increases the attack surface by introducing external network access, token usage, and local persistence of third-party data in the workspace.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill description is about heartbeat/task-status management, but this module retrieves course and assignment data from a personal Canvas account using an API token. That is a scope-expanding integration involving access to user educational data, which can violate least-privilege expectations and create privacy risk if enabled without explicit user understanding and consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill manifest describes passive status checking and reporting, but this file also performs a destructive write operation that removes completed todo items from workspace/todo.md. That mismatch is security-relevant because agents or users may grant this skill read/reporting privileges while not expecting silent mutation or deletion of task history.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The daily reset function performs an additional website monitoring sync against Canvas/FSP, which expands the module's behavior beyond reset/report duties into network-connected data collection and synchronization. This kind of scope expansion is risky because a scheduled housekeeping action can unexpectedly trigger external access, side effects, or data changes without a clear separation of responsibilities or user consent.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill claims to provide heartbeat/task health management, but this module adds repository-writing capabilities that modify tracked files and create commits. That scope expansion increases the attack surface and can enable persistence or unintended data manipulation even if the code is not overtly malicious.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
git_push can remotely publish repository contents when enabled, which is a powerful exfiltration and propagation capability unrelated to basic heartbeat management. In an agent context, this is more dangerous because the skill can transform local state changes into external network-side effects and leak sensitive workspace contents to a remote origin.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata says this component manages heartbeats, status, and reports, but the code also probes a local browser-attached service and performs external site synchronization for Canvas/FSP data. This is dangerous because it expands the skill's authority and data-access scope beyond what an operator would reasonably expect, increasing the chance of unauthorized data collection or unintended side effects in a privileged agent environment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill performs outbound Discord notifications and loads credentials to do so, but the metadata does not disclose this external communication behavior. In an agent setting, undisclosed outbound messaging is security-relevant because status content, alerts, or task metadata may be exfiltrated to third-party infrastructure without clear operator awareness.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
When no token is configured locally, the code falls back to reading a user-level `~/.openclaw/openclaw.json` file and reuses a Discord token from another application context. This is dangerous because it crosses trust boundaries, silently broadens credential access for the skill, and can cause the agent to use sensitive user-scoped credentials without explicit permission or least-privilege controls.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is presented as a heartbeat/task-status manager, but this module adds full IMAP inbox access and SMTP delivery, which materially expands the capability and data-access surface beyond the stated purpose. Hidden or weakly justified communication features are dangerous in agent skills because they can enable data exfiltration, covert notifications, or collection of sensitive mailbox metadata without clear user expectation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This code logs into a mailbox, enumerates unread and flagged mail, and fetches sender/subject metadata for selected messages, yet that mailbox-reading behavior is not clearly justified by the heartbeat-manager use case. In an agent context, unnecessary inbox access increases the chance of sensitive information exposure and can be repurposed for surveillance or harvesting of operational communications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly instructs users to sync Canvas and FSP schedules and states that a heartbeat process will automatically capture data after the browser is opened, but it provides no notice about what data is accessed, where it is sent, or whether consent is required. In a heartbeat-management skill that runs alongside synchronized monitoring, this creates a real privacy and unauthorized data-collection risk because users may trigger browser-based extraction without understanding the scope of access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
clean_done_todos() silently deletes all completed checklist entries by rewriting todo.md, with no confirmation, preview, backup, or audit trail. In an agent context, this can erase task history, reduce accountability, and potentially hide prior work or evidence of unauthorized actions under the guise of housekeeping.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
This code automatically sends an email report as part of the reset flow without any confirmation, policy check, or visible consent mechanism in this file. In an agent skill context, unattended outbound communication can leak task status, health metrics, or other workspace-derived content to recipients unexpectedly.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The function overwrites workspace/daily.md with new template content every run, which is a destructive operation that can erase user edits or evidence of prior state if triggered unexpectedly or at the wrong time. Because it uses an atomic rename, the overwrite is reliable, making accidental or unauthorized invocation more damaging rather than less.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Completed tasks are removed from ongoing.json rather than archived with provenance, which can destroy history and make recovery or auditing difficult. In an automation context, silent data deletion is dangerous because operators may not realize task records were purged after a scheduled run.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal