Skillv1.2.0

ClawScan security

Heartbeat Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 1:02 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what its README says (local heartbeat, file updates, optional Canvas/FSP/email/git sync), but there are multiple mismatches and surprising behaviors (discord posting, reading ~/.openclaw, settings defaults that enable git/push) that make the bundle incoherent and warrant caution before installing or enabling features.
Guidance: This skill appears to implement a reasonable heartbeat/monitoring tool, but there are concrete inconsistencies and surprising behaviors you should address before installing or enabling features: - Review config/settings.yaml in the package: it currently sets git.enabled: true and git.auto_push: true. If you do not want any remote pushes, change git.enabled: false and auto_push: false before running. - By default the code will try to send emails/IMAP checks if email.enabled is true — keep email.enabled=false until you intentionally create config/.env with only the credentials you trust. - The code contains an undocumented Discord notifier that will attempt to read ~/.openclaw/openclaw.json to obtain a bot token and post heartbeat messages to Discord. If you do not want this, search for "discord_notify" or the _notify_discord_heartbeat function and disable/remove it or ensure no sensitive tokens exist in ~/.openclaw. - Treat config/.env and any API tokens (Gmail App Password, CANVAS_API_TOKEN, FSP_API_TOKEN) as sensitive — only populate them after auditing the code. The skill claims it won't upload those files, but it can use them locally to contact external services. - Run the skill in a sandboxed environment first (or inspect/grep the code for network calls like requests.get/post and subprocess.run) to confirm behavior. Specifically inspect heartbeat_run.py for where Discord/curl is invoked and review git_ops.py to understand what will be added/committed/pushed. If you want a lower-risk start: set email.enabled=false, monitoring.canvas.enabled=false, monitoring.fsp.enabled=false, git.enabled=false in config/settings.yaml and run python tools/heartbeat_run.py status to observe local, read-only behavior before enabling external integrations.

Review Dimensions

Purpose & Capability: concernName/description match core capabilities (heartbeat, reports, Canvas/FSP sync), but shipped defaults and included code diverge: SKILL.md and meta claim Git push disabled by default, yet config/settings.yaml in the package sets git.enabled: true and auto_push: true. The package also contains Discord notification logic (not documented in SKILL.md) that reads other agent config; that access is out-of-scope for a pure heartbeat manager.
Instruction Scope: concernRuntime instructions and code operate on workspace files (expected) and call external services (Canvas, FSP, IMAP/SMTP) only if tokens are set (expected). However the code also attempts to read ~/.openclaw/openclaw.json to obtain a Discord Bot token and will POST to discord.com via curl if discord notifications are enabled (the SKILL.md does not mention this). The skill thus accesses other agent config and an external chat endpoint beyond the documented integrations.
Install Mechanism: okNo install spec — code is included as files (lower install risk). Dependencies are standard Python libraries. No remote download or arbitrary extraction observed in the manifest.
Credentials: concernRegistry metadata declares no required env vars, but the code expects optional secrets in config/.env (EMAIL_APP_PASSWORD, CANVAS_API_TOKEN, FSP_API_TOKEN). That's acceptable if optional, but the code also reads ~/.openclaw/openclaw.json (other agent credentials) to obtain a Discord token which is not declared or documented. The package's settings.yaml enabling git.auto_push by default further escalates required trust since pushing can leak workspace contents to a remote.
Persistence & Privilege: concernThe skill writes/updates workspace files and logs (declared). However it also reads a user-level OpenClaw config file (~/.openclaw/openclaw.json) and can perform network posts to Discord using a token recovered from that file. Combined with the unexpected git auto_push default this creates a higher privilege/persistence surface than the SKILL.md conveys.