TeamClaw
v0.1.3A high-performance Agent subsystem for complex multi-agent orchestration. It provides a visual workflow canvas (OASIS) to coordinate OpenClaw agents, automat...
⭐ 0· 387·1 current·1 all-time
byhou xinyuan@avalon-467
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and instructions implement a multi-agent orchestration system, OASIS forum, web UI, Telegram/QQ bots, and a Cloudflare tunnel exactly as the description says — so the capability set aligns with the name/description. However the registry metadata claims no required environment variables while SKILL.md and the code clearly require/expect many secrets (LLM_API_KEY, OPENCLAW_API_KEY/OPENCLAW_SESSIONS_FILE, INTERNAL_TOKEN, TELEGRAM/QQ tokens, PUBLIC_DOMAIN, etc.). That mismatch reduces transparency and is unexpected.
Instruction Scope
SKILL.md and the included scripts instruct the agent to: write/modify .env, create user accounts, read local OpenClaw sessions.json (path requested explicitly), start long-running services, and optionally expose the UI publicly via Cloudflare tunnels. Instructions also discuss auto-downloading binaries (bark-server, cloudflared) and starting background processes. These are within the stated purpose but significantly broaden runtime scope (filesystem reads, persistent services, network egress, and public exposure). The SKILL.md also contains detected prompt-injection artifacts (unicode-control-chars), indicating the documentation itself may include hidden control characters — review the raw file.
Install Mechanism
There is no formal install spec in the registry, but multiple scripts (e.g., scripts/tunnel.py, launcher.py, run.sh) claim to auto-download binaries like cloudflared and a bark-server. Auto-downloading and extracting executables at first-run is higher risk because the download sources/URLs are not declared in the metadata. The repository includes many files so code will be written to disk and launched as services if you run the provided scripts.
Credentials
The skill expects several high-privilege secrets: LLM provider API key(s), OPENCLAW_API_KEY, INTERNAL_TOKEN, TELEGRAM_BOT_TOKEN, QQ credentials, and possibly a PUBLIC_DOMAIN value. These are plausible for the advertised functionality, but INTERNAL_TOKEN is effectively an admin-level token that the bots use to impersonate users (format INTERNAL_TOKEN:username:TG). Providing INTERNAL_TOKEN grants broad authority to call the system as arbitrary users; this is high-risk and must be treated as sensitive. Registry metadata claiming 'none' for required env vars is inconsistent with the runtime requirements.
Persistence & Privilege
The package runs persistent background services (FastAPI/Flask endpoints, scheduler, bot processes) when started via run.sh / launcher.py. The registry flags do not set always:true, so it won't be force-included automatically, but installing/starting it will create long-lived processes and open ports (and the scripts can expose them publicly). The skill does not appear to modify other skills' configs, but it does write .env and log files in the project tree and can download binaries.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contained unicode control characters detection. That is not expected for a normal README/install guide and may indicate hidden characters intended to influence downstream parsing or evaluation. Inspect the raw SKILL.md bytes before trusting automated processing.
What to consider before installing
This package implements a full multi-agent orchestration platform (web UI, bots, scheduler, public tunnel) and matches its description — but several red flags mean you should not install it blindly:
- Metadata mismatch: the registry says 'no required env vars' but the code and SKILL.md require many secrets (LLM_API_KEY, OPENCLAW_API_KEY, INTERNAL_TOKEN, TELEGRAM/QQ secrets). Treat that inconsistency as a transparency issue.
- Highly privileged token: INTERNAL_TOKEN is used by bots to call the system as arbitrary users (INTERNAL_TOKEN:username:...). Do NOT provide an INTERNAL_TOKEN unless you fully trust the code and run it in an isolated environment.
- Auto-downloads & tunneling: scripts claim to auto-download cloudflared and bark-server and can expose the service publicly. Verify exactly which URLs the scripts download from (inspect scripts/tunnel.py, packaging/launcher.sh, build scripts) and prefer running behind a firewall or in a disposable VM/container.
- Filesystem access: the service will read local files such as an OpenClaw sessions.json and write .env, logs, and user_data. Provide only paths you are comfortable exposing to the service.
- Prompt-injection artifact: SKILL.md contains detected unicode-control characters. Open the raw file and ensure there are no hidden control characters that could affect parsers or cause unexpected behavior.
Practical next steps before installing:
1. Review the repository source locally (especially scripts/tunnel.py, selfskill/scripts/*, run.sh, launcher.py) to see what is downloaded and what URLs are used.
2. Run initially in an isolated VM or container with no outbound network access (or with controlled egress) to inspect behavior.
3. Do not set INTERNAL_TOKEN or any admin keys until you are confident of the code. If you must test bots, create a throwaway INTERNAL_TOKEN limited to a test account or run without bot integrations.
4. If you plan to expose the service, require strong UI authentication, limit public exposure to a reverse proxy with access controls, and rotate any keys/passwords you use during testing.
If you want, I can: (A) list the specific files to inspect first (scripts/tunnel.py, selfskill/scripts/run.sh, packaging/launcher.py, chatbot/setup.py), or (B) scan the provided tunnel and downloader scripts for download URLs and extraction logic.Like a lobster shell, security has layers — review code before you run it.
latestvk97devzymc3hx30gn3yz4s8mt582ft0y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.