Back to skill

Security audit

三只虾协作系统

Security checks across malware telemetry and agentic risk

Overview

The skill’s collaboration automation is mostly coherent, but it asks users to enable persistent background monitoring and external task notifications with weak scoping and hard-coded local/recipient details.

Review before installing. Only enable the launchd services after replacing the hard-coded paths and Feishu recipient/webhook, inspecting or supplying the missing plist files, and deciding that persistent background monitoring is acceptable. Do not put secrets, customer data, private links, credentials, or sensitive work product in task queues or notification details unless you have added redaction and recipient verification; keep backups or version control for queue and memory files before enabling automatic cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (30)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes automatic Feishu notifications that include task names, executors, timestamps, and even document links, but it provides no warning about transmitting potentially sensitive operational data to an external messaging platform. In a multi-agent automation context, this increases the chance that users unknowingly forward internal project metadata or results outside the local environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The reset instructions overwrite tasks/queue.md via shell redirection, which will destroy the existing queue contents if run as written. Without a prominent warning or confirmation step, operators may accidentally erase live task state, audit history, or coordination data needed by the automation workflow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes real-time file monitoring, periodic full-file reads, and outbound Feishu notifications, but it does not warn users that local files may be continuously observed and task content may be transmitted to an external service. This creates a privacy and data-leakage risk because users may deploy it without understanding the scope of monitoring or what information leaves the machine.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions tell users to copy plist files into ~/Library/LaunchAgents and load them with launchctl, which installs persistent background services in the user's session. Because the document does not clearly warn that these services will remain running and continue monitoring in the background, users may unknowingly grant long-lived monitoring and notification capability.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document describes an automated pipeline that reads pending notifications and sends task completion details and results to Feishu, but it does not define user consent, data classification, redaction rules, or content restrictions before external transmission. In an automation context, this can leak sensitive task contents, internal schedules, or generated outputs to chat recipients without an explicit review or warning step.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The document encourages automated full-file reads, task cleanup, and recurring logging without warning about data sensitivity, retention, or accidental modification of local workspace state. In the context of an agent skill, scheduled background processing of all files can expose private data to logs or downstream tools and can silently alter or delete task artifacts over time.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quickstart instructs users to run a local setup script that installs an automatic heartbeat service, but it does not clearly disclose that this creates persistence via launchd and may continue executing on a schedule. That omission is security-relevant because users may unknowingly enable a background task with ongoing file access and token consumption.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document describes automatic updates to MEMORY.md and cleanup of completed tasks, including retention behavior, without clearly warning that user files will be modified automatically. Automated mutation of task and memory files can cause unintended data loss, overwrite user edits, or hide activity if users do not understand the scope of changes.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The document hard-codes a single required form of address for the user ("老板") and labels alternatives as forbidden. This can override user preferences, create coercive or culturally mismatched interactions, and reduce safe personalization by forcing the agent to ignore how the user wants to be addressed.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The memory guidance reinforces that the user must be referred to only by a specific Chinese honorific in all cases. Repetition across usage guidance makes the behavior more persistent and more likely to override user choice or downstream safety/politeness settings.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs automatic transmission of task status and progress reports to Feishu from a heartbeat script, but it provides no consent, data-classification, minimization, or privacy/security guidance. In practice, task descriptions, blockers, links, and internal project details may contain sensitive business or personal data, so normalizing automatic external reporting increases the risk of unintended data disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document requires sending task results and details to a Feishu user account but provides no guidance to classify, minimize, or redact sensitive content before transmission. That creates a real data-handling risk because agents may forward user data, internal links, logs, or confidential work product to a third-party messaging channel by default.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer silently installs and loads user LaunchAgents, creating persistence and modifying the filesystem without any explicit warning or consent gate. Even if intended for legitimate automation, this is risky because it causes background execution at login/session start and can surprise users or be abused if the bundled plist files or referenced scripts are unsafe.

Ssd 3

Medium
Confidence
96% confidence
Finding
The automatic workflow states that completed tasks are detected, notification messages are generated from logs, and then sent to the boss, but it does not impose any filtering of sensitive user-provided or system-generated content. This is dangerous because logs and generated task summaries often contain secrets, personal data, internal paths, or other sensitive material that could be exfiltrated automatically without human review.

Session Persistence

Medium
Category
Rogue Agent
Content
LAUNCH_AGENTS_DIR="$HOME/Library/LaunchAgents"

# 复制配置文件
cp "scripts/com.openclaw.heartbeat.plist" "$LAUNCH_AGENTS_DIR/"
cp "scripts/com.openclaw.fswatch.plist" "$LAUNCH_AGENTS_DIR/"
echo "  ✅ 配置文件已复制"
Confidence
99% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# 复制配置文件
cp "scripts/com.openclaw.heartbeat.plist" "$LAUNCH_AGENTS_DIR/"
cp "scripts/com.openclaw.fswatch.plist" "$LAUNCH_AGENTS_DIR/"
echo "  ✅ 配置文件已复制"

# 卸载旧配置(如存在)
Confidence
99% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# 卸载旧配置(如存在)
if launchctl list | grep -q "com.openclaw.heartbeat"; then
    launchctl unload "$LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist" 2>/dev/null || true
fi
if launchctl list | grep -q "com.openclaw.fswatch"; then
    launchctl unload "$LAUNCH_AGENTS_DIR/com.openclaw.fswatch.plist" 2>/dev/null || true
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
launchctl unload "$LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist" 2>/dev/null || true
fi
if launchctl list | grep -q "com.openclaw.fswatch"; then
    launchctl unload "$LAUNCH_AGENTS_DIR/com.openclaw.fswatch.plist" 2>/dev/null || true
fi

# 加载新配置
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
fi

# 加载新配置
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist"
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.fswatch.plist"
echo "  ✅ 服务已启动"
Confidence
97% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
fi

# 加载新配置
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist"
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.fswatch.plist"
echo "  ✅ 服务已启动"
Confidence
97% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# 加载新配置
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist"
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.fswatch.plist"
echo "  ✅ 服务已启动"

# 验证状态
Confidence
97% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
# 加载新配置
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist"
launchctl load "$LAUNCH_AGENTS_DIR/com.openclaw.fswatch.plist"
echo "  ✅ 服务已启动"

# 验证状态
Confidence
97% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
# 定义路径
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PLIST_FILE="$SCRIPT_DIR/com.openclaw.heartbeat.plist"
LAUNCH_AGENTS_DIR="$HOME/Library/LaunchAgents"

# 创建 LaunchAgents 目录(如不存在)
Confidence
84% confidence
Finding
PLIST

Session Persistence

Medium
Category
Rogue Agent
Content
# 定义路径
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PLIST_FILE="$SCRIPT_DIR/com.openclaw.heartbeat.plist"
LAUNCH_AGENTS_DIR="$HOME/Library/LaunchAgents"

# 创建 LaunchAgents 目录(如不存在)
Confidence
84% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
mkdir -p "$LAUNCH_AGENTS_DIR"
fi

# 复制 plist 文件
echo "📋 复制配置文件..."
cp "$PLIST_FILE" "$LAUNCH_AGENTS_DIR/"
echo "  ✅ 已复制到 $LAUNCH_AGENTS_DIR/com.openclaw.heartbeat.plist"
Confidence
88% confidence
Finding
plist

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.