Skillv0.1.1

ClawScan security

team-discuss · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 4:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and instructions broadly match a multi-agent discussion tool, but there are inconsistencies (missing core modules), and the runtime instructions permit spawning sub-agents and reading/writing shared files — behaviors that expand its access surface and deserve caution before installation.
Guidance: This skill appears to be an orchestrator for multi-agent discussions and is not obviously malicious, but exercise caution: (1) the bundle is incomplete — SKILL.md describes core modules that are not included, so the example won't run as-is without additional code; (2) the runtime instructions allow spawning sub-agents (sessions_spawn) and persisting discussion state to disk, which can cause data to be read from your workspace and transmitted to other agents — review the prompts and any data you pass into the orchestrator; (3) confirm where the missing core code would come from (trusted source) before running; and (4) if you plan to use it with sensitive data, restrict the base_dir and avoid pointing it at project root or privileged paths. If you want, I can: list exact places to search/lock down on your system, suggest safe sandboxing steps, or attempt to map which platform permissions sessions_spawn requires.

Review Dimensions

Purpose & Capability: noteThe name/description (multi-agent discussion/orchestration) aligns with the SKILL.md: shared state, dialectic analysis, and sessions_spawn usage. However, the package claims a larger project structure (src/core modules like SharedStore, Orchestrator, DialecticEngine) that are not present in the provided files — only teamDiscuss.py, README, SKILL.md, and a demo JSON are included. That mismatch means the shipped bundle does not contain the code the docs describe, which is an incoherence (could be an instruction-only skill that expects platform-provided APIs).
Instruction Scope: concernSKILL.md instructs the agent to persist shared state to a local './discussions' directory and to call real sub-agents via sessions_spawn(runtime='subagent', agentId=..., task=...). sessions_spawn gives the skill the ability to invoke other agents and forward prompts/tasks; combined with file-based persistence this can cause data to be read/written and forwarded to other agents. The instructions also reference absolute or user filesystem paths in examples (e.g., /root/.openclaw/workspace/data/projects/team-discuss, /path/to/team-discuss/src), which — if followed verbatim or modified — could lead to reading arbitrary project data. While these behaviors are within the expected scope for a multi-agent orchestrator, they materially broaden what the skill will access and transmit, and the SKILL.md gives the agent leeway to spawn sub-agents and build prompts (potentially including contextual data).
Install Mechanism: okNo install spec is provided (instruction-only with a single example script). This is lower-risk from an install/execution perspective because nothing arbitrary is downloaded or extracted during install. However, the code and documentation reference modules (core, models) that are not included, so running the example may require installing missing code from elsewhere.
Credentials: noteThe skill declares no required environment variables or credentials, which is reasonable for a local orchestrator. That said, the instructions rely on sessions_spawn (a platform API) and file-based persistence: although no explicit secrets are requested, invoking sub-agents could cause the agent to include contextual data inadvertently in requests to other agents. The skill also suggests touching directories under the user's workspace; no environment/credential access is required by the bundle itself, but platform-level agent/session permissions could be relevant.
Persistence & Privilege: notealways is false (normal) and the skill does not request to modify other skills or system-wide agent settings. It does instruct use of a local SharedStore (file-based persistence) which will create/read/write files in the working directory; that is expected for a shared-state orchestrator but should be considered persistent storage for discussion contents.