Council Builder
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: council-builder Version: 2.0.0 The 'council-builder' skill bundle is a legitimate framework designed to help users create and manage a multi-agent 'council' within OpenClaw. It includes a shell script (scripts/init-council.sh) for initializing a local directory structure and numerous templates for defining agent personalities (SOUL.md) and coordination rules. The bundle demonstrates a proactive security posture by including templates for safety hooks (hooks-patterns.md), verification checklists, and explicit instructions in the root AGENTS.md template to avoid data exfiltration and destructive commands. No evidence of malicious intent, data theft, or unauthorized remote execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated agent council may treat private workspace files or calendar information as fair game unless the user tightens the rules.
This persistent template grants broad read, organization, web, and calendar activity as default behavior for generated councils, without narrowing it to specific approved agents or per-action confirmation.
**Do freely:** Read files, explore, organize, search web, check calendars, work in workspace.
Before using the generated AGENTS.md, narrow the allowed actions per agent and require confirmation before accessing calendars, sensitive folders, or making workspace changes.
Incorrect, sensitive, or poisoned notes could become durable instructions that affect later sessions and other agents.
The self-improvement system can promote logged learnings into persistent instruction files such as SOUL.md, AGENTS.md, TOOLS.md, or MEMORY.md, which can shape future agent behavior.
Same learning appears 3+ times → auto-promote
Require explicit user review before promoting learnings into permanent instruction or memory files, and periodically audit .learnings, MEMORY.md, AGENTS.md, and shared/learnings.
Using the wrong workspace path or unusual agent names could create files in unintended locations.
The included shell script is purpose-aligned and only creates local files/directories, but it writes under a user-supplied path and agent names are not validated.
WORKSPACE="${1:?Usage: init-council.sh <workspace-path> <agent-name> [agent-name...]}" ... mkdir -p "$WORKSPACE/shared/reports"Run the script only after approving the plan, use a dedicated workspace path, and keep agent names to simple alphanumeric or hyphenated names.