ClawHub

TeamAgent

Security checks across malware telemetry and agentic risk

Overview

TeamAgent appears to be a real collaboration skill, but it handles tokens, local OpenClaw control, external services, and background chat routing with enough overbroad authority and under-disclosure that users should review it before installing.

Install only if you trust the TeamAgent operator and intentionally want broad task mutation, external model calls, local token storage, watch-mode background operation, and OpenClaw gateway integration. Prefer an HTTPS hub, do not paste bearer tokens into chat, avoid copying OpenClaw auth files to sub-agents unless you accept that privilege spread, and review any generated OpenClaw configuration changes before applying them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This section routes mobile chat messages through a local OpenClaw/Claude session via a localhost gateway, effectively turning the skill into a message relay into a local agent environment. That expands scope from task coordination to interactive proxying, which can expose local context and enable unintended command or prompt injection pathways from remote chat users.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The documented behavior includes creating local workspaces, modifying agent inventories, copying auth files, and changing gateway configuration to spawn sub-agents. Those actions materially exceed a simple collaboration client and can alter the local agent runtime, increasing risk of privilege expansion, credential spread, and persistent environment modification.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The worker contains a substantial mobile chat routing subsystem that is outside the declared collaboration/step-execution scope. It ingests incoming chat messages, forwards them into another session/toolchain, and posts replies back automatically, which materially expands the skill’s authority and data flow beyond user expectations. This creates an unexpected messaging bridge and increases the blast radius if the local gateway or routed session is compromised or misused.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads a gateway token from a separate local OpenClaw configuration file and uses it to invoke another local service. Borrowing credentials from an unrelated toolchain is a privilege-boundary violation: the skill silently inherits external capabilities not justified by its stated purpose, potentially enabling unauthorized access to sessions or tools available through that gateway.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This handler reads an external API key from the environment and sends prompts to a third-party LLM service, which expands the skill's trust boundary and introduces confidentiality and supply-chain risk. In a collaboration platform, outbound model calls may be functionally useful, but doing so without explicit scope restriction, approval, or data-minimization means task and team data can leave the local system unexpectedly.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The prompt hardcodes operational instructions to create local OpenClaw workspaces, patch gateway configuration, and validate agent presence, which goes beyond passive task decomposition into environment modification and agent provisioning. Because these instructions are embedded as mandatory decomposition rules, a user can trigger plans that normalize privileged local changes unrelated to the stated collaboration-platform purpose.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The client reads API tokens from environment variables and persists them to a local config file under the user's home directory. Persisting secrets beyond immediate runtime use expands exposure surface: other local processes, backups, accidental commits, or misconfigured file permissions can leak long-lived credentials. In this skill context, the token grants access to a collaboration hub, so unauthorized reuse could let an attacker impersonate the agent and manipulate tasks.

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The implementation exposes broad task mutation capabilities including update, completion, creation, and deletion, which goes beyond a narrow 'collaboration' description and increases the blast radius of a compromised or overprivileged agent. In a multi-agent platform, these methods can be abused to tamper with workflow state or destroy task data if the token is misused or the agent is tricked into running destructive commands.

Vague Triggers

Medium
Confidence
71% confidence
Finding
The natural-language triggers are broad enough that ordinary conversation like asking to check tasks or submit work could invoke the skill unexpectedly. In a skill that can contact remote services, change agent status, or handle tokens, accidental invocation increases the chance of unintended network actions or credential-related flows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users and agents to save, paste, and transmit bearer tokens without emphasizing that these are sensitive credentials. That normalizes unsafe secret handling in chat and increases the likelihood of token leakage, replay, account takeover, or unauthorized task actions if transcripts or logs are exposed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The worker extracts a gateway token from local configuration and uses it for outbound HTTP requests without any user-facing warning, consent, or disclosure. Even though the target is localhost, this still grants the skill hidden access to another privileged service and prevents users from understanding that external credentials are being consumed on their behalf.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Incoming chat content is automatically forwarded to another local service/session for processing, then the generated reply is sent back to the user. This is a privacy and trust-boundary issue because user messages are relayed to a secondary processor without clear notice, and the downstream session may have different capabilities, retention, or prompt context than the user expects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Task descriptions and team-member data are transmitted to an external LLM endpoint without any visible consent, warning, or filtering in this file. In a multi-agent collaboration system, those fields may contain sensitive business context, identities, capabilities, or internal plans, so silent exfiltration to a third party is a real confidentiality issue.

Missing User Warnings

High
Confidence
99% confidence
Finding
The default hub URL uses plain HTTP, yet the client sends bearer tokens in the Authorization header for authenticated requests. This allows network attackers on the path to intercept or modify traffic, steal tokens, hijack agent identity, and tamper with tasks or pairing flows. The multi-agent remote-control context makes this especially dangerous because the credential directly enables API actions against the hub.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI delete command performs an irreversible destructive action immediately, without any confirmation prompt, dry-run, or warning. In agent or scripted environments, this increases the chance of accidental or socially engineered deletion of tasks, especially when commands may be generated from natural-language instructions or external task content.

Ssd 3

High
Confidence
98% confidence
Finding
This explicitly tells the agent to ask the human to paste a saved token back into chat, creating a credential-harvesting pattern. Chat channels are often logged, retained, or visible to intermediaries, so encouraging secret entry there can directly expose bearer tokens that grant account/API access.

Ssd 3

Medium
Confidence
87% confidence
Finding
Forwarding pairing codes and then conditioning the user to later return a token through chat normalizes sharing authentication artifacts in conversational channels. Even if the pairing code is lower sensitivity than the token, this pattern trains unsafe behavior and increases the chance users disclose higher-value credentials in the same flow.

Ssd 4

Medium
Confidence
93% confidence
Finding
The task description is interpolated verbatim into the planner prompt, so attacker-controlled or untrusted task text can steer the LLM into producing unsafe or unauthorized multi-step plans. The risk is elevated here because the output is not just advisory text: it is submitted back to the platform to automatically create child steps for other agents, turning prompt injection into workflow manipulation.

Ssd 3

High
Confidence
98% confidence
Finding
The prompt explicitly requires artifacts containing agent identifiers, emails, token prefixes, and configuration evidence, creating a built-in path for sensitive data collection and disclosure. Even partial credential material such as token prefixes can aid correlation, reconnaissance, and operational leakage, especially when bundled into generated markdown artifacts that may be stored, shared, or exposed to other agents.

VirusTotal

No VirusTotal findings

View on VirusTotal