ClawHub

Multi Agent Config Manager

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real multi-agent orchestration tool, but it has unsafe configuration parsing, broad local file writes, cleanup deletion, and inconsistent package identity that warrant review before installation.

Review carefully before installing on a real OpenClaw workspace. Do not use it where untrusted users or tools can modify ~/.openclaw/openclaw.json. Back up ~/.openclaw/workspace/shared before running clean or archive_and_clean, prefer dry-run cleanup, and verify that this is the intended package despite the inconsistent naming in its release files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill explicitly describes access to environment-derived paths and runtime-dependent filesystem behavior via `process.env.USERPROFILE || process.env.HOME`, yet no permissions are declared. In an orchestration skill that spawns agents, reads configuration, and writes outputs, missing permission declarations weaken reviewability and can cause the skill to operate with broader implicit capabilities than users expect.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The audit document claims the skill is released, but the embedded release metadata conflicts with the actual skill identity and version: the file describes v8.1.0 for 'multi-agent-orchestrator' while the footer says version 7.1.0 and slug 'multi-agent-engine'. In a multi-agent orchestration skill, operators may rely on audit artifacts for trust, rollout, and provenance decisions, so mismatched identity metadata can cause the wrong artifact to be trusted, deployed, or exempted from further review.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The release note claims to publish the current multi-agent orchestrator skill, but the command targets a different path (`./skills/multi-agent-config-manager`) and a different slug (`multi-agent-engine`). In a deployment workflow, this can cause operators to publish or update the wrong skill, creating a supply-chain style integrity issue where intended code, metadata, and released artifact do not match.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The `run` flow can automatically invoke `autoConfigure(configReport)` after discovering configuration errors, which means the skill mutates files and environment state as part of normal execution rather than requiring an explicit setup step. In a skill whose stated purpose is orchestration/research, silently creating or modifying config and workspace state expands the trust boundary and can surprise users or higher-level agents that expected planning-only behavior.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The built-in templates assign powerful tools such as `exec`, `sessions_spawn`, and `subagents` to generated agent profiles, enabling code execution and broader agent delegation beyond what the skill description suggests as research/collaboration orchestration. This creates a capability mismatch: a user selecting a template may unknowingly authorize shell execution or recursive orchestration paths that increase blast radius if prompts or downstream agents are compromised.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The archiver copies all non-hidden files from each per-agent workspace into the archive, which exceeds the documented scope of reports, final deliverables, and log snapshots. In a multi-agent orchestration system, agent workspaces may contain credentials, scratch notes, intermediate datasets, or other sensitive material, so broad archival can unintentionally preserve and expose data that should have remained transient.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
`buildMountInstructions(agentProfile, sharedDir, outputDir)` expects separate read-only shared and writable output paths, but `buildSpawnParams()` calls it as `buildMountInstructions(agentProfile, outputDir)`, shifting arguments so the writable output directory is described as the read-only shared directory and the actual output directory becomes `undefined`. In a multi-agent orchestrator, misleading filesystem instructions can cause agents to read, overwrite, or trust files in the wrong location, weakening isolation and corrupting workflow artifacts.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Most exported functions accept a caller-supplied projectDir, sectionName, sourceId, or subTaskId and pass them directly into path.join() and filesystem read/write operations with no canonicalization or boundary check. In Node.js, absolute paths and traversal segments can escape the intended research workspace, enabling arbitrary file read/write within the privileges of the running agent; in a multi-agent orchestrator, untrusted sub-agents or task inputs make this notably more dangerous.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The parser falls back to `(0, eval)('(' + configRaw + ')')` when JSON/cleaned JSON parsing fails, which executes arbitrary JavaScript from a user-scoped configuration file. Because the file is loaded from the user's home directory and is not integrity-checked, any attacker who can modify that file can achieve arbitrary code execution in the skill's process.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The test script invokes a shell via child_process.exec to run `rm -rf ${tempDir}` for cleanup. Even though `tempDir` is hardcoded in this file, shell-based deletion is an unnecessary dangerous capability for a test harness because it expands the blast radius if the path becomes configurable later, is malformed, or is influenced by environment/context.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script hardcodes SKILL_DIR to 'multi-agent-config-manager' even though the manifested skill under review is 'multi-agent-orchestrator'. This can cause validation to run against a different codebase, producing misleading success/failure results and potentially masking issues in the actual target skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document includes destructive deletion commands as part of a test procedure without any warning, confirmation step, backup guidance, or sandboxing note. Even though the paths are narrower than a full-system wipe, users or downstream agents could execute them blindly and lose workspace data during installation or validation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document specifies an auto-configuration flow that creates directories and agent configuration files in the user's environment, but it does not describe consent, preview, rollback, or safety boundaries. In an agent skill context, undocumented state-changing behavior is risky because users may trigger environment modifications without understanding what files will be created or overwritten.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes destructive rm commands targeting user workspace paths without prominent warnings about data loss, backup requirements, or confirmation steps. In a skill context, users may copy-paste these commands verbatim, causing irreversible deletion of local state, configurations, or work artifacts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad terms like '工作流', '深度研究', and 'multi agent', which are common in ordinary requests and can cause the skill to activate unexpectedly. In a powerful orchestrator that can spawn subagents, create files, and send session messages, accidental invocation increases the chance of unintended actions and data handling beyond user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The `clean` command performs deletion of files in `shared/` immediately unless `dry_run` is set, but there is no explicit confirmation prompt or mandatory acknowledgment at the point of execution. In an orchestration skill that accumulates intermediate artifacts, accidental invocation or misuse by another agent can destroy outputs needed for auditability, rollback, or review.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The cleanup routine recursively deletes every file under shared/ with no confirmation, safety guard, or path integrity check beyond the configured base directory. In an orchestration skill, shared/ is a central coordination area, so an unexpected invocation, logic error, or misuse can destroy in-progress artifacts, audit data, or user-important files, undermining integrity and recoverability.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The generated prompt instructs downstream agents to write files to a path derived from context without any explicit user consent, safety confirmation, or restriction on what directory may be modified. In an agentic system, silent file-write instructions can cause unintended local state changes or overwrite files if an attacker influences output_dir or agent names.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The autoConfigure() function performs filesystem writes based solely on a supplied configReport and emits only console messages at execution time, relying on external callers to have already obtained consent. In an agent/skill context, that separation is risky because another component can invoke autoConfigure() directly and create directories in the user's home workspace without an in-function confirmation gate, reducing user control over state-changing operations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The generated prompt explicitly instructs a spawned subagent to immediately write discovered data to a local file, and the spawn params mount writable working directories automatically. In an agent system, this creates an unprompted persistence channel: sensitive task inputs, retrieved data, or prompt-injected content may be stored on disk without explicit user consent, increasing the risk of data leakage, retention of untrusted content, and cross-step contamination of later workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists quality gate block records to files inside the supplied project directory without any user disclosure, consent flow, or configurable opt-out. In an agent orchestration skill, silent writes can create unexpected state, leak workflow details to disk, and modify user workspaces in ways the user did not authorize.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Decision logging writes persistent audit data, including rationale, alternatives, context summary, and metadata, to project files with no clear disclosure or consent. This is risky because orchestrator logs may contain sensitive prompts, project context, or user-derived data, and storing them by default increases privacy and data exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The protocol mandates verbose audit logs containing per-agent timing, file paths, poll history, and related execution metadata, but provides no minimization, access control, retention, or user notice requirements. In a multi-agent orchestration skill, these logs can reveal workflow structure, internal filenames, agent identities, and operational patterns that may expose sensitive project context or aid later reconnaissance.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The protocol requires writing plan boards, execution boards, and reports into shared filesystem locations without any consent, scoping, or safety controls. In this skill context, automatic writes under shared directories can unexpectedly persist sensitive task data, create cross-workflow exposure risks, and modify the host environment in ways the user may not anticipate.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The archival and cleanup rules instruct the system to move research outputs and legacy files during finalization, but they do not require confirmation for each relocation or define safeguards against accidental movement of user data. In a system that manages many reports under shared trees, silent file moves can break user expectations, disrupt downstream tooling, and cause loss of discoverability or unintended data retention.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal