Back to skill

Security audit

Multi-Agent Engine v8

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real multi-agent research tool, but it needs Review because it can execute local configuration as code and has broad persistent workspace write/cleanup behavior.

Install only if you are comfortable giving this skill broad control over an OpenClaw workspace and spawned agents. Patch or remove the eval fallback before use, keep openclaw.json writable only by trusted users, run cleanup in dry-run mode first, and avoid putting secrets or sensitive business data into tasks that may be persisted in reports, logs, or traces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill metadata advertises no permissions while the described capability surface includes environment access via commands like environment checks and compatibility detection. This creates a trust and transparency gap: users and policy engines may approve the skill under the assumption that it is low-privilege, even though it can inspect runtime environment details that may include sensitive configuration data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose presents the skill as a research orchestrator, but the detected behavior set includes persistent local storage, directory creation and repair, archival cleanup, model inspection and override logic, and process-terminating compatibility checks. That mismatch is dangerous because it conceals materially broader system interaction than a user would expect, increasing the chance of unauthorized file modification, retention of sensitive data, or disruptive execution in environments that only approved research-oriented behavior.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code persists operational state and agent/workflow metadata under the user's home workspace using loadJSON/saveJSON, creating and modifying files automatically. For an orchestration skill, that broad persistent state management increases attack surface and can lead to unintended retention, tampering, or misuse of local data beyond the minimum needed to perform a task.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The run path performs automatic configuration and repair via autoConfigure() before executing the requested task, which means invoking the skill can change the local environment without an explicit separate consent step. In a security-sensitive agent runtime, self-modifying setup behavior is dangerous because it can create files, alter configuration, and normalize privilege-expanding behavior under the guise of orchestration.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The generated SOP and prompt claim the Writer agent is 'forbidden from networking', but this file only emits instructional text and provides no technical enforcement. In a multi-agent orchestration skill, operators may rely on that claim as a security boundary, allowing a Writer agent with network capability to exfiltrate local research materials or fetch untrusted external content despite the prompt's stated restriction.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The prompt says outputs must be verified to exist after phase completion, but advanceSOPState marks steps and phases complete before actually validating the declared outputs for that phase. In this orchestration context, that can let the system advance on missing or fabricated artifacts, undermining workflow integrity and enabling downstream agents to act on incomplete evidence.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code only embeds 'do not use exec/shell' as natural-language instructions inside the spawned task prompt, but the returned spawn parameters do not technically restrict tool availability or sandbox child agents. A malicious prompt, compromised downstream agent, or simple instruction drift could therefore still invoke dangerous tools and write or execute outside the intended workflow, making the documented safety boundary ineffective.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code falls back to `(0, eval)('(' + configRaw + ')')` when parsing `openclaw.json` fails. Even though the file is described as a local config, treating config content as executable JavaScript enables arbitrary code execution if that file is modified by an attacker, another compromised component, or an untrusted sync/import process.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The ruleset claims a word-based completeness requirement ('at least 500 words'), but the implementation scores completeness using raw string length thresholds. This mismatch can cause materially incorrect validation outcomes, especially across languages and formats, allowing underspecified outputs to pass or legitimate outputs to fail, which undermines downstream decision-making in the orchestrator.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The technical_output and critical_review rulesets rely on CONSISTENCY and QUALITY semantics, but executeRule does not implement CONSISTENCY or QUALITY and falls back to NEEDS_REVIEW with a default score of 0.5. That means important safeguards are effectively unimplemented while still contributing partial credit, which can let weak or contradictory outputs clear the pass threshold and be trusted by later stages.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The protocol contains a direct contradiction: earlier sections mandate active polling of child-agent outputs and progress files, while Phase 2 later instructs the orchestrator to only yield for completion events and explicitly not poll. In a multi-agent runtime, this inconsistency can cause missed sub-agent questions, delayed completion detection, duplicate work, and incorrect degradation decisions, which undermines reliability and auditability of the orchestration flow.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cleanup routine recursively deletes every file under the shared workspace and is invoked automatically by archiveAndClean() with no confirmation, scoping guard, or allowlist. In a multi-agent system where shared/ may contain in-progress outputs, user data, or symlinked content, this can cause unintended data loss and operational disruption if called at the wrong time or against an unexpected workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The generated prompt explicitly instructs sub-agents to write a report file to a path derived from context without any user-visible disclosure or confirmation step. In an agent system, hidden file-writing behavior can cause unexpected workspace modifications, overwrite existing files, or enable downstream abuse if untrusted context controls the output directory or agent name.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The legacy prompt similarly directs agents to write markdown reports to a filesystem path without visible disclosure to the user. Even though it says to avoid shell commands, silent file creation/modification remains risky because it can alter local state unexpectedly and may overwrite or place files in attacker-influenced locations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The prompt explicitly instructs a spawned subagent to immediately write findings to local disk during execution, but the code provides no user-facing disclosure, approval gate, or restriction beyond placing files in a chosen directory. In an agent setting, silent persistence of model-generated content can leak sensitive task content, create unexpected local artifacts, or violate user expectations about side effects.

Missing User Warnings

Low
Confidence
81% confidence
Finding
The function automatically creates local directories for raw sources and extracted facts as a side effect of preparing subagent execution, without any disclosure or consent mechanism. While limited in scope, this still causes unannounced filesystem modification and can surprise users or persist potentially sensitive research material on disk.

Missing User Warnings

Low
Confidence
79% confidence
Finding
This helper creates multiple working directories on disk automatically, again without any user-facing notice. The behavior is not inherently malicious, but in a multi-agent skill it increases persistence and local footprint, which matters when tasks may process sensitive or regulated data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code persists raw research content, URLs, hound identifiers, and timestamps to local markdown files under the user's home workspace without any consent gate, warning, retention control, or redaction. In an agent setting, collected sources may contain sensitive user, business, or investigation data, so silent durable storage increases privacy and confidentiality risk if the machine, account, or workspace is later accessed by others.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The module stores extracted facts, drafts, and final reports to disk by default, creating long-lived copies of potentially sensitive intermediate reasoning and final outputs. In a multi-agent research orchestrator, these artifacts can aggregate proprietary, personal, or investigative material, so undisclosed persistence materially expands the impact of host compromise, account sharing, backup leakage, or accidental disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
This is the same dangerous behavior from a different rule perspective: local configuration content is executed via `eval` without any meaningful safety boundary. In an agent/orchestrator context, config files are often user-editable or tool-generated, so this expands the trust boundary and creates a code-execution primitive in a non-execution component.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code persists model capability data to a hidden file under the user's home workspace without any consent, disclosure, or validation of the target directory state. While the stored content is not highly sensitive by itself, silent persistence in a user-scoped hidden path can create privacy surprises, leave forensic traces of usage, and enable file overwrite abuse in environments where the path is attacker-influenced or symlinked.

Natural-Language Policy Violations

Medium
Confidence
74% confidence
Finding
The confirmation flow hard-codes accepted user responses in Chinese only, which can cause the orchestrator to mis-handle or ignore confirmations, cancellations, or modification requests from non-Chinese users. In this skill, that matters because the outline-approval step is a hard gate before spawning agents; failure to recognize user intent can lead to unauthorized progression, denial of cancellation, or workflow deadlock.

Ssd 3

Medium
Confidence
89% confidence
Finding
The role-context builders deliberately read project content such as outlines, facts, drafts, and task descriptions, then repackage and forward that content into later agent contexts. In a multi-agent system, this creates a data propagation channel where sensitive or adversarial user/project content can be retained, broadened across roles, and surfaced in downstream outputs, increasing risks of prompt injection persistence and unintended disclosure.

Ssd 3

Medium
Confidence
92% confidence
Finding
Decision logging and trace reporting persist plain-language decisions, rationale, alternatives, context summaries, and later expose them through query/report functions. If those fields contain sensitive project data, internal reasoning, user content, or injected instructions, the system creates a durable disclosure surface that can leak confidential information to later users, agents, logs, or reports.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
lib/modelSelector.js:184