ClawHub

Multi Agent Builder

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate team-building purpose, but it can make persistent OpenClaw configuration changes and install optional dependencies with too little per-change user control.

Install only if you intend to let this skill modify your live OpenClaw setup. Before running it, require a dry-run or manual review of the exact openclaw.json diff, workspace paths, generated agent IDs, permissions, and any channel binding. Do not allow automatic optional skill installs, and change generated agents from full tool access to role-specific least privilege.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The playbook authorizes automatic installation of both required and optional skills, which is an operational side effect far beyond the stated scope of building or planning a reusable multi-agent team. This creates a supply-chain and unauthorized-action risk because the skill can fetch, assess, and install third-party components without explicit user approval for each change.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The playbook instructs the agent to apply permission profiles per role, effectively changing tool access and operational privileges despite the manifest describing a team-building/planning function. Even if intended for convenience, silent permission configuration can expand access in ways the user did not clearly request and increases the blast radius of any downstream compromise.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Searching registries, falling back across installers, and automatically installing dependencies are not necessary for a role-analysis/team-design skill and introduce unnecessary external interaction and supply-chain exposure. The fallback logic also increases the chance that a package is sourced from a less trusted location when the primary path fails or is rate-limited.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script does more than generate a team plan: it directly loads and rewrites the live OpenClaw configuration, creates agent workspaces under /root, removes existing agents with matching IDs, and persists new runtime state. In a skill advertised as a reusable team-building assistant, this creates an integrity risk because invoking the skill can silently alter the agent runtime and operational topology rather than producing a reviewable artifact first.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code can bind the generated leader agent to an external messaging channel/account by updating cfg.bindings when account-id is supplied. That extends the skill from local planning into externally reachable deployment, enabling unintended communications exposure or message routing changes without clear user-facing justification for a team-builder skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs automatic channel binding after the user provides channel token or credentials, but it does not warn about secure handling, storage, scope validation, or the operational consequences of performing the binding. In a multi-agent builder skill, this creates a real risk of users handing sensitive integration secrets to the system without informed consent, potentially enabling unintended channel access, misbinding, or persistent automation against external communication surfaces.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Automatically installing optional skills without prior user confirmation violates the principle of informed consent and can introduce unnecessary capabilities or risky third-party code into the environment. In this skill context, optional components are especially problematic because they are not required to fulfill the user's core team-design request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs many filesystem writes, creates directories, writes multiple markdown control files, and finally overwrites the main config file, all without any user-visible warning, prompt, or confirmation. Even with a temp file and backup, this is still a safety issue because users may believe they are requesting planning output while the skill is making persistent operational changes.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Confirm with user:
- final role list

Do NOT ask user to confirm these internal steps; execute automatically:
1) openclaw.json agent materialization
2) A2A/subagents permission setup
Confidence
93% confidence
Finding
Do NOT ask user

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal