Back to skill

Security audit

Openclaw Team Builder

Security checks across malware telemetry and agentic risk

Overview

This looks like a real OpenClaw team-management skill, but it can make broad persistent changes and asks users to handle bot credentials in unsafe ways.

Install only if you trust the publisher and are comfortable with it changing your OpenClaw agents, SOUL files, channel bindings, agent-to-agent permissions, and gateway state. Before running write actions, ask for an exact change summary and approve external channels one by one. Do not paste bot tokens or app secrets into ordinary chat or shell commands; use a secure local prompt, environment reference, or secret manager where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest frames the skill as team management, but the documentation also covers collecting credentials and configuring external messaging integrations. That scope expansion is security-relevant because users may invoke the skill expecting low-risk org management while it performs broader account-linking actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
Automatically binding a newly created agent to all enabled channels is a broader action than simply adding an agent to a team. This can expose the new agent on external communication surfaces without explicit, granular user consent for each channel.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs the user to provide third-party bot tokens and app secrets directly for use in commands, even though credential brokerage is not clearly central to basic team-building. Handling these secrets materially increases security sensitivity because compromise would grant control over external bots and integrations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes full lifecycle channel-management operations for Telegram, Discord, and Feishu, which materially extends its authority beyond org-tree management. Broader capability in a single skill increases the blast radius of accidental activation or misuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill extends beyond team management into provisioning external channel accounts and storing credentials such as bot tokens and Feishu app secrets in persistent configuration. This increases the blast radius of the skill: an agent invoking a seemingly administrative tool can cause credentialed integrations to be added or modified, and secrets may be written to disk without a narrowly scoped permission boundary.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code configures third-party messaging accounts and binds them to agents, which is materially more sensitive than ordinary team-structure operations. In skill context, bundling external account setup into a team builder makes unintended secret handling and unauthorized outbound integration more likely, especially when called programmatically by another agent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The health-check and auto-fix functionality is not read-only: it edits runtime configuration, regenerates agent files, adds bindings, and restarts the gateway. That makes a diagnostic-sounding feature capable of materially changing system state, which is risky if an agent or user expects inspection only.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README shows passing a bot token directly on the command line without any warning about credential exposure. Command-line secrets can leak via shell history, process listings, logs, screenshots, or copied terminal transcripts, making this a real operational security issue even though it appears only in documentation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Triggers like “channel”, “绑定”, and “飞书配置” are broad everyday phrases that may cause the skill to activate in conversations that are not intended to modify team configuration. Because this skill can change local config and external bindings, accidental invocation is more dangerous than in a read-only skill.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to ask users for bot tokens and app secrets in chat, without warning about sensitivity, retention, or safer handling. Secrets transmitted in chat may be stored in logs, history, analytics, or transcripts, creating a high likelihood of credential exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow says agent creation will automatically bind to all enabled channels and restart the gateway, but it does not present these as system-affecting actions requiring advance consent. Hidden side effects can disrupt service and unintentionally expose agents on external channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Rollback in batch mode can delete agents and overwrite core configuration files without an interactive warning when `--yes` or `--index` is supplied. Because this is destructive state-changing behavior exposed through automation-friendly flags, an invoking agent or script can silently remove resources and revert configuration to an older state.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Batch channel configuration writes bot tokens and app secrets into config with little or no disclosure in non-interactive mode. This is dangerous because secrets passed as CLI arguments may be exposed via shell history or process inspection, and persistent storage in a general config file increases the chance of accidental leakage or misuse.

Ssd 3

High
Confidence
99% confidence
Finding
The workflow directs users to paste secrets into chat and then use them in follow-up commands, which is a classic insecure secret-handling pattern. This exposes credentials to transcript retention, debugging logs, shell history, and accidental disclosure, potentially allowing takeover of Telegram, Discord, or Feishu bots.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.