Back to skill

Security audit

Agent Bus

Security checks across malware telemetry and agentic risk

Overview

Agent Bus is a real Git-based agent messaging tool, but its automatic watcher can act on shared-repo messages, push changes, forward content, and inject replies into local sessions with weaker controls than users are told to expect.

Install only if you are comfortable with recurring automation that reacts to a shared Git repo. Use a private repo, do not put secrets in messages, review or disable watch.sh before enabling cron, and remove automatic task execution, reset --hard recovery, raw notification forwarding, and main-session delivery unless you explicitly need and control them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest claims built-in prompt injection defense, sensitive-content filtering, and owner-approval gates, but later sections describe these controls as optional enhancements or implementation hints. This creates a dangerous false sense of security: operators may deploy the bus assuming protections exist when the documented setup may actually forward untrusted messages into automation or a main session without those safeguards being implemented.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation instructs users to route replies with `openclaw sessions send`, while the changelog explicitly states that command is non-existent and was replaced. In security-sensitive automation, stale command guidance can cause operators to improvise or patch workflows incorrectly, potentially bypassing intended review steps or building ad hoc session-injection logic that is less safe than the intended mechanism.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The prompt instructs the agent to enumerate unrelated main-session files, select an active session, and inject inbound Git-bus content into it via `openclaw agent --deliver`. This crosses trust boundaries: untrusted repository messages can influence a separate live agent session outside the bus, enabling prompt injection, context contamination, unauthorized task steering, and possible disclosure of sensitive session context.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Although presented as a watch/notify script, the embedded prompt tells the agent to execute tasks found in inbound message bodies and then send replies automatically. Because the message bus is a shared Git repo, this turns repo content into executable agent instructions, creating an indirect prompt-injection and unauthorized action path from any party able to write messages onto the bus.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments claim the script only syncs, reads messages, and notifies the owner, but the actual prompt performs much broader actions including task execution and session manipulation. This mismatch is security-relevant because it can mislead users during review and deployment, causing them to grant trust or automation privileges they would not otherwise approve.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger list is broad and overlaps with ordinary conversational phrases such as 'send task to agent', 'message another agent', and 'delegate tasks'. In assistant ecosystems that auto-activate skills from natural-language matching, overly generic triggers can cause accidental invocation of a skill that performs shell commands, repo writes, cron setup, and inter-agent messaging, expanding attack surface through misrouting or social engineering.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-start encourages immediate execution of shell commands, script copying, cron registration, git push/pull, and external notifications before a prominent safety warning explains the trust model and plaintext/public-repo risks. In a security-sensitive skill that bridges agents and can automate message handling, burying the warnings later increases the chance of unsafe deployment and accidental exposure of sensitive data or autonomous processing of untrusted content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes the full contents of read messages into a temporary file under /tmp, which can expose potentially sensitive cross-agent communications to other local processes or users depending on system configuration and lifecycle handling. In this skill's context, message bodies may include delegated tasks, credentials, research output, or other sensitive agent-to-agent data, so undisclosed temporary persistence increases confidentiality risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script automatically forwards the raw output of `agent-bus.sh read` to an external messaging channel via `openclaw cron add` without explicit confirmation, redaction, or user disclosure at the time of forwarding. Because this skill is specifically designed as a cross-agent message bus, forwarded content may contain sensitive instructions, private data, or prompt-injection payloads, making automatic exfiltration to another channel materially risky.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
On pull failure, the script falls back to `git reset --hard origin/main` and writes state files automatically, which can discard local changes and silently alter the working copy. In a shared automation environment, that behavior can destroy user data or mask tampering without clear notice or approval, increasing operational and forensic risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script automatically schedules notifications and may forward task details, results, and full reply bodies to owner-facing channels and session delivery targets. If bus messages contain sensitive, adversarial, or unexpected content, this can leak data across channels and create a second-order injection path into user-visible or agent-consumed interfaces without transparent disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.