teamclawtestv101
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a powerful multi-agent server that can run background services, execute commands, use delegated tokens, and keep persistent user memory, but those powers are broadly scoped and under-declared.
Review this skill carefully before installing. Treat it as a full local agent server, not a simple instruction-only helper: run it in a sandbox or VM, inspect setup/start scripts and omitted source files, pin dependencies, use test credentials first, keep bot whitelists strict, and require explicit approval for command execution, file deletion, scheduled actions, and profile-memory updates.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled broadly, the agent may change local files or run code during agent workflows, including multi-agent or scheduled tasks.
The skill explicitly instructs the agent to manage files, delete files, and run shell/Python code. Even though it mentions a sandbox, the provided artifacts do not clearly show approval, reversibility, or containment for these high-impact tool actions.
文件管理:可以为用户创建、读取、追加、删除和列出文件... 指令执行:可以在用户的安全沙箱目录中执行系统命令和 Python 代码。
Use only in an isolated environment, inspect the actual command/file manager implementation, and require explicit user approval before file deletion, shell commands, or Python execution.
A misconfigured whitelist, leaked bot token, or leaked internal token could let chat messages invoke privileged agent capabilities as a local user.
Telegram messages are forwarded to the agent using an internal token described as administrator-level authentication for a mapped system user. This delegates powerful agent access to an external chat interface.
api_key = f"{INTERNAL_TOKEN}:{sys_username}:TG" ... 使用 INTERNAL_TOKEN:username:TG 格式(管理员级认证 + 指定用户 + session=TG)Keep Telegram/QQ bots disabled unless needed, use strict whitelists, rotate INTERNAL_TOKEN if exposed, and ensure bot users cannot trigger high-impact tools without confirmation.
Installing could pull changing third-party package versions with substantial server, LLM, MCP, and chatbot functionality.
The dependency list is broad and unpinned, and SKILL.md instructs running a setup script while the registry provides no install spec. This creates provenance and reproducibility risk.
flask requests fastapi uvicorn pydantic langgraph langchain-openai langchain-google-genai langchain-anthropic
Review setup scripts before running them, pin dependency versions, install in a virtual environment, and avoid using production credentials until the dependency chain is verified.
Personal details may persist across sessions and influence later agent behavior; incorrect or poisoned profile data could be reused repeatedly.
The agent is instructed to automatically load a persistent user profile into context and proactively update it based on observed user traits, without clear retention, review, or consent controls.
每次对话开始时,系统会自动读取该文件内容并注入到你的上下文中... 主动使用文件管理工具更新 user_profile.txt。
Expose profile contents to the user, require approval for profile updates, provide deletion controls, and avoid storing sensitive personal information by default.
Multi-agent conversations may reuse state and pass task context between internal agents, which can amplify mistakes or prompt-injection effects.
The OASIS design intentionally passes prompts between multiple expert/session agents and auto-created sessions. This is purpose-aligned, but users should understand that context and instructions flow between agents.
SessionExpert — calls mini_timebot's /v1/chat/completions endpoint using an existing or auto-created session_id... identity injection
Use separate sessions for sensitive work, limit tools available to sub-agents, and log inter-agent messages for auditability.
A mistaken or malicious scheduled task could keep affecting future sessions or trigger tool actions when the user is not actively present.
Internal scheduler triggers can cause the agent to act later and use all enabled tools, which can propagate a bad instruction from a scheduled or callback event into file, command, push, or multi-agent actions.
当前请求来自内部系统调度,而非用户实时对话。请根据触发内容执行相应操作,你可以正常使用所有已启用的工具。
Require confirmation for scheduled high-impact actions, restrict enabled tools for scheduler-triggered runs, and make scheduled tasks easy to review and cancel.
The agent could be used to modify its own project files or behavior if given sufficient tool access.
The artifact describes autonomous core management and self-improvement capability. Combined with file and command tools, this is broader than an ordinary user-invoked skill unless tightly controlled.
transition from a passive assistant to an active co-maintainer... capability to suggest and implement improvements to its own architecture
Disable self-modification workflows by default, require explicit user review for any change to the skill or agent code, and keep the service under version control.