TeamClaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
TeamClaw is openly a powerful multi-agent server, but it needs review because its bot/public-access features can let external messages reach an agent with broad tool access.
Install only if you want a long-running multi-agent server and are comfortable administering it. Use strong passwords, configure least-privilege bot accounts, avoid enabling the QQ bot or public tunnel until access controls are verified, keep API keys out of shared workflows, and run the service in an isolated environment.
SkillSpector
SkillSpector has not run for this release. Legacy ClawScan findings remain available under Risk analysis.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the QQ bot is enabled, people who can message or mention the bot may be able to drive the agent as the configured QQ system user, potentially reaching that user’s enabled tools and memory.
The QQ bot forwards both private and group messages to the agent using one configured internal-token identity. The shown QQ path does not include the Telegram-style whitelist or per-user authorization check.
INTERNAL_TOKEN = os.getenv("INTERNAL_TOKEN", "")
QQ_BOT_USERNAME = os.getenv("QQ_BOT_USERNAME", "qquser")
"api_key": f"{INTERNAL_TOKEN}:{QQ_BOT_USERNAME}:QQ"
...
async def on_c2c_message_create(...): ... await self.handle_main_logic(message)
async def on_group_at_message_create(...): ... await self.handle_main_logic(message)Only enable the QQ bot in trusted chats, use a low-privilege dedicated account, add a whitelist/per-user mapping, and disable file/command tools for bot sessions unless explicitly needed.
A mistaken instruction, unsafe workflow, or compromised external channel could cause file changes or code execution inside the configured sandbox.
The system prompt intentionally gives the agent file-management and command/code execution tools. This matches the agent-subsystem purpose, but it is high-impact authority.
文件管理:可以为用户创建、读取、追加、删除和列出文件... 指令执行:可以在用户的安全沙箱目录中执行系统命令和 Python 代码。
Confirm the sandbox boundaries, review the command whitelist, require confirmation for destructive operations, and disable these tools in sessions that do not need them.
Running the tunnel/setup steps may introduce external binaries or dependencies onto the machine.
The public-tunnel workflow downloads and runs an external helper binary. This is disclosed and user-directed, but the provided artifacts do not show pinning or integrity verification.
Auto-detects platform → downloads `cloudflared` if missing → starts tunnels → captures public URLs → writes to `.env`
Verify download sources and hashes where possible, pin dependencies, and run the service in an isolated environment or container.
Information saved in the profile may influence future responses and may be sent to configured model providers as part of context.
The agent maintains a persistent user profile and injects it into future conversations. This is a disclosed personalization feature, but persistent context can carry stale, sensitive, or poisoned information forward.
每次对话开始时,系统会自动读取该文件内容并注入到你的上下文中... 当你在对话中发现用户的重要特征... 请主动使用文件管理工具更新 user_profile.txt。
Do not store secrets in the profile, periodically review or clear saved profile data, and disable proactive profile updates if not wanted.
A misconfigured password, exposed API, or vulnerable service could become reachable from the internet.
The Cloudflare Quick Tunnel feature intentionally exposes local agent services to the public internet. The docs also require a Web UI account, so this is not hidden, but it expands the trust boundary.
expose the entire service to the internet — zero configuration, no account needed... Exposes both the Web UI (port 51209) and Bark push service (port 58010) simultaneously
Use strong unique credentials, expose only what is necessary, avoid public tunnels for sensitive work, and stop the tunnel when not actively needed.
The service, schedulers, bots, and push notifications can keep running until explicitly stopped.
The skill is designed to run as a background service with scheduled tasks. This is disclosed and core to its purpose, but it means it may continue operating after the initial chat turn.
bash selfskill/scripts/run.sh start # Start in background ... Scheduled Tasks: An APScheduler-based task scheduling center
Check service status regularly, stop it when not needed, and review scheduled tasks and background logs.