Team Collab Repo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent team-collaboration skill, with the main things to notice being optional multi-model sub-sessions, local project file creation, and persistent configuration files.
This skill looks suitable for its stated purpose. Before installing, be aware that advanced mode may send your project details through several model sessions and may cost more API calls. Use default role-play mode for confidential work unless you are comfortable with the listed model routing, and only run the local helper scripts in a safe new project directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a project contains confidential information, that information may be shared across several model sessions/providers in advanced mode.
Advanced mode intentionally passes task context and outputs among multiple spawned role/model sessions.
系统将根据项目需要自动调用相应角色的子会话 ... 输出传递:每个阶段的输出要传递给下一阶段
Use the default role-play mode for sensitive work, or explicitly confirm that sharing the task with the listed models is acceptable before using advanced mode.
Running the helper with an existing or unintended path could overwrite README.md or project.json in that target directory.
The helper script creates directories and writes files based on a user-supplied project name.
base_dir = os.path.join(os.getcwd(), project_name) ... os.makedirs(path, exist_ok=True) ... open(os.path.join(base_dir, "README.md"), "w"
Run the helper only with a simple new project folder name, and check the target path before allowing file creation.
Version/source ambiguity can make it harder to confirm exactly which package content is intended.
The registry metadata reports an unknown source and version 1.0.0, while supplied skill files include other version markers such as SKILL.md v1.2.0 and nested metadata v1.1.0.
Source: unknown ... Version: 1.0.0
Verify the publisher and expected version before installation, especially if relying on the helper scripts.
A changed project or global config could alter which roles/models are used in later sessions.
The skill documents persistent global and project-level configuration that can influence future role/model selection.
全局配置: `~/.openclaw/team-collab.json` ... 项目配置: `./team-collab.json` ... 项目配置优先于全局配置
Review team-collab.json files in the project and global config location before relying on model/role choices.