ClawHub

Team Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent team-deployment tool, but it asks users to make persistent global OpenClaw and cron changes without enough built-in review or rollback controls.

Install only if you intentionally want a persistent multi-agent OpenClaw team. Before running generated scripts, review apply-config.js and create-crons.sh/ps1, make your own backup of ~/.openclaw/openclaw.json, enable only the agents and cron jobs you need, and keep Deep Dive scans limited to projects whose code and operational details you are comfortable storing in the generated workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The templates substantially expand the skill from "deploy a multi-agent team workspace" into persistent business operations across marketing, competitive intelligence, content production, product management, and ongoing execution. This is dangerous because operators may grant the skill deployment/orchestration access while unintentionally enabling broad autonomous business actions far outside the declared scope, increasing the risk of unauthorized actions and hidden capability creep.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The growth role is authorized to perform direct community engagement, social publishing, and platform-specific outreach, which are external actions not implied by a team-builder/deployment skill. This creates a capability mismatch where a user expecting internal workspace setup could instead enable outward-facing autonomous communications that affect third parties and brand reputation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Granting emergency coding authority to non-engineering roles such as data, growth, content, or intelligence agents weakens separation of duties and allows agents without implementation-focused constraints to modify code or systems. In practice this can bypass review expectations, increase the chance of unsafe changes, and blur accountability for software actions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Empowering the growth role for outbound community/social operations gives the skill invasive external-action capability unrelated to basic team deployment. If misused, the agent could post, engage, or influence external communities under organizational identity without adequate authorization boundaries or review.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The generated apply-config.js modifies the user's global ~/.openclaw/openclaw.json by adding agents and enabling broad agent-to-agent communication. This exceeds the apparent scope of a workspace template deployer and can silently alter the user's wider OpenClaw environment, creating persistence and trust-boundary issues if the workspace or generated agents are later abused.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes many files into a user-selected workspace and also generates a secondary script that edits global OpenClaw configuration, yet the deploy flow gives no clear user-facing warning or change summary. In a deployment tool for agent skills, silent file and config mutation is more dangerous because users may assume they are only creating a template, not altering persistent runtime behavior.

Ssd 3

Medium
Confidence
91% confidence
Finding
The mandatory requirement to write persistent memories after each task encourages long-term retention of decisions, pitfalls, and conclusions without any minimization, redaction, or retention limits. This can cause sensitive user data, internal operational details, or confidential task context to be unnecessarily stored in role memory files and later exposed to unrelated tasks or agents.

Ssd 3

Medium
Confidence
95% confidence
Finding
The chief-of-staff is instructed to scan all inboxes and maintain a full-picture dashboard, creating centralized access to potentially all cross-agent communications and statuses without least-privilege or need-to-know controls. This broad visibility increases the blast radius of accidental disclosure and makes sensitive information aggregation routine rather than exceptional.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal