Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi Workplace
v0.4.0Manage multiple workplaces (project directories) with multi-agent orchestration, isolated memory, and inter-agent communication. Use when the user mentions:...
⭐ 0· 663·0 current·0 all-time
byfarmerwu@dickwu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the files and scripts: the skill scans repos, creates per-project .workplace/ directories, runs a Rust file-watcher, spawns agents, and syncs IDE context. The requested artifacts (registry in ~/.openclaw/workspace, per-project .workplace/) are consistent with the advertised functionality.
Instruction Scope
The SKILL.md instructs the agent to read many local files (README.md and other *.md, structure.json, config.json), to use agent .md files as the basis for system prompts, to write/modify project-root files (CLAUDE.md, opencode.jsonc, .cursor rules), and to update ~/.openclaw/workspace/registry.json and current.json. Using user-editable agent definitions and arbitrary project files to build system prompts is a prompt-injection risk; writing IDE/config files can clobber user content if not carefully handled.
Install Mechanism
No install spec (instruction-only), lowering install risk. The package includes build scripts and Rust source for a local file-watcher server; building runs locally and copies the binary into assets/bin. There are no network downloads or opaque external installers in the package. Pre-built binaries are mentioned but not bundled in the listed manifest — build-from-source is provided.
Credentials
The skill asks for no environment variables or external credentials. It does, however, read/write the user's home (~/.openclaw/workspace/) and project directories and expects access to git, jq, and optionally Rust toolchain. It also writes to 'supermemory' via containerTag (platform memory) — appropriate for multi-workplace memory but worth noting as it stores project summaries in platform memory.
Persistence & Privilege
always:false (good). The skill spawns persistent components (kernel agent, background Rust watcher) by design and updates process-status.json and registry files. This is coherent with its purpose but increases the blast radius because these background processes read and act on local files continuously.
Scan Findings in Context
[system-prompt-override] expected: SKILL.md and references explicitly build system prompts from .workplace/agents/*.md and project files; the regex scanner flagged possible 'system-prompt-override' patterns. This is expected (the feature relies on composing prompts from user-editable files) but is also the primary risk vector: malicious or untrusted agent/markdown content can inject instructions into spawned agents.
What to consider before installing
This skill appears to do what it says, but it operates on and modifies local files and uses user-editable Markdown to build system prompts for spawned agents — a real prompt-injection and file-modification risk. Before installing or running it: 1) review the included scripts (init_workplace.sh, build.sh) and the Rust server source to confirm they do what you expect; 2) back up CLAUDE.md, opencode.jsonc, and any important project files in case the skill overwrites them; 3) inspect any .workplace/agents/*.md files (or any workplace skills pulled from git) before allowing them to run, since their contents become system prompts for subagents; 4) prefer building and running the Rust server yourself rather than running an untrusted prebuilt binary; 5) only install from a trusted source and consider limiting write access (or running in a sandbox) if you must evaluate it in an untrusted environment. If you want, I can point out the exact lines in the scripts and SKILL.md that perform file writes and compose system prompts so you can review them more easily.Like a lobster shell, security has layers — review code before you run it.
latestvk97520sm9yvdttcfjtd5bxt1a581bfd5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.