Butler Mode
AdvisoryAudited by VirusTotal on Apr 16, 2026.
Overview
Type: OpenClaw Skill Name: butler-mode Version: 1.2.2 The 'butler-mode' skill (SKILL.md) transforms the agent into a manager that delegates all tasks to sub-agents. It is classified as suspicious because it explicitly instructs the agent to grant sub-agents 'maximum autonomy' and 'all available tools,' and specifically recommends using the 'bypassPermissions' mode in Claude Code environments. While these instructions are functionally consistent with the 'manager' persona, they encourage the removal of security boundaries and the granting of excessive privileges to sub-processes, which significantly increases the risk of exploitation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A teammate agent could edit files, run commands, or use other available tools with little containment if the user's environment exposes those tools.
This makes broad tool access the default for spawned agents instead of scoping tools to the user's specific task or requiring approvals for high-impact actions.
Always spawn agents with maximum autonomy and all available tools. Do not restrict what an agent can use or how it works.
Require explicit user approval before spawning agents, pass only the minimum needed tools/files, and avoid unrestricted delegation for sensitive projects.
Spawned agents may act with fewer permission prompts than the user expects, increasing the chance of unintended file or environment changes.
The Claude Code spawn example uses a permission-bypass mode, which can exceed normal approval boundaries for delegated work.
mode: "bypassPermissions"
Do not use bypass-permission modes by default; require task-specific approval and least-privilege execution for each teammate.
Project details or sensitive context could be shared among subagents without the user seeing or approving each exchange.
The skill encourages direct agent-to-agent coordination without defining message logging, identity checks, data boundaries, or user visibility.
Agents should coordinate directly — you don't need to relay every message
Keep inter-agent communication visible to the manager/user, define what data may be shared, and require escalation before sharing sensitive files or credentials.
Multiple agents could continue making changes or consuming resources beyond what the user expected for a single request.
The skill promotes parallel autonomous agents but does not define caps, timeouts, stopping conditions, or approval gates for additional spawned work.
Spawn multiple teammates in parallel when tasks are independent
Set a maximum number of agents, require user approval for new subagents, and enforce clear stop/kill conditions.
The agent may refuse or avoid doing direct work and instead create subagents even for tasks the user expected it to handle itself.
This intentionally changes the agent's normal behavior from doing work directly to delegating work; it is purpose-aligned but important for users to notice.
Your role is exclusively managerial. ... Delegate all substantive work to teammates.
Use this skill only when you explicitly want a manager/delegation workflow, and disable it for simple tasks that do not need subagents.
Users have less external context for verifying the publisher or reviewing the skill outside the registry.
The skill is instruction-only and has no install code, but the missing source/homepage limits provenance verification.
Source: unknown; Homepage: none
Verify the registry owner and read the full SKILL.md before enabling it.