Doppleganger
Security checks across malware telemetry and agentic risk
Overview
This skill appears to be a narrow duplicate-agent guard, with the main thing to notice being its reliance on a separate local subagent-tracker script.
This looks safe for its stated purpose. Before installing, make sure you also trust the local `subagent-tracker` skill it calls, because Doppleganger’s decision to allow or block a new subagent depends on that tracker’s output.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A false duplicate result could cause the agent not to start a subagent the user expected.
The skill changes tool-use behavior by preventing subagent spawning when a duplicate is reported. This is the stated purpose and is clearly disclosed, but it affects whether work is delegated.
If `duplicate: true`, do not call `sessions_spawn`.
Use this only where duplicate prevention is desired, and if work is unexpectedly not started, verify the reported running session or tracker state.
If the local tracker script is missing, stale, or replaced, duplicate-check results could fail or become untrustworthy.
Doppleganger delegates its decision to a separate local `subagent-tracker` script. That dependency is disclosed and purpose-aligned, but it is outside this skill's own files and should be installed from a trusted source.
TRACKER_SCRIPT = OPENCLAW_HOME / "workspace" / "skills" / "subagent-tracker" / "scripts" / "subagent_tracker.py"
Install and review the `subagent-tracker` skill from a trusted source, and keep `OPENCLAW_HOME` pointing to the intended workspace.