Boss
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: boss-skill Version: 0.1.0 The skill bundle is classified as suspicious due to the extensive use of powerful tools, particularly `Bash` for shell execution, across multiple sub-agents (`boss-architect`, `boss-backend`, `boss-devops`, `boss-frontend`, `boss-qa`). While these capabilities are intended for legitimate software development tasks like running tests, building, and deploying applications, they introduce a significant attack surface. A malicious user could potentially exploit prompt injection vulnerabilities against the AI agent to misuse these `Bash` capabilities, leading to Remote Code Execution (RCE) or unauthorized file system manipulation on the host system. For example, `scripts/init-project.sh` uses `rm -rf` and `mkdir -p`, and `agents/boss-qa.md` explicitly instructs the agent to execute various test commands via `Bash`. Although the skill itself does not contain malicious instructions, the inherent risk associated with such broad shell access elevates its classification to suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may modify an existing codebase, run tools, and deploy or start services before the user has reviewed the exact changes.
The skill can proceed through implementation, testing, and deployment with all confirmation checkpoints disabled, and the normal workflow does not show a separate pre-deployment approval.
`--quick` | 跳过所有确认节点,全自动执行 ... 阶段 3: 开发 + 持续验证 ... 阶段 4: 部署 + 交付
Avoid `--quick` on important repositories, require explicit approval before shell commands and deployment, and run it in a branch, container, or disposable workspace.
This can execute project code, install or use dependencies, open local ports, and leave services running.
The DevOps agent is explicitly allowed to execute shell commands and start project services or containers.
`tools: ... Bash` ... `npm run dev` ... `npx serve` ... `docker-compose up -d`
Review generated commands before execution, prefer local-only/sandboxed deployment, and verify the stop/cleanup command after use.
An early misunderstanding can become many file changes or a deployed service if not caught.
Each stage uses prior artifacts as inputs for later agents, so a mistaken or unsafe requirement/design can propagate into code, QA, and deployment.
`产物驱动` — 每个阶段产出文档,下一阶段基于前一阶段产物
Review `.boss` planning artifacts and diffs before allowing implementation or deployment to continue.
Sensitive project details could remain in the repository and might be committed or reused in later tasks.
The skill stores requirements, architecture, QA, and deployment details in persistent project files that later stages read.
保存产物到 `.boss/<feature>/`:`prd.md`, `architecture.md`, `ui-spec.md` ... `qa-report.md`, `deploy-report.md`
Do not put secrets in requirements, review `.boss` files before committing, and add `.boss/` to `.gitignore` if the artifacts should stay private.
Requirements, repository context, and generated artifacts may be shared across several subagents during the pipeline.
The workflow passes task context and prompt content to multiple general-purpose subagents as part of orchestration.
Task( subagent_type: "general_purpose_task", description: "PM: 创建 PRD", query: pm_prompt + ... )
Limit sensitive context, confirm which subagents/tools are allowed, and avoid including credentials or private data in task descriptions.