critical
suspicious.dangerous_exec
- Location
- scripts/create_team.mjs:21
- Finding
- Shell command execution detected (child_process).
Multi Agent Builder
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
New agents may receive more ability to read, write, edit, execute, browse, or manage processes than their role requires.
Why it was flagged
Every generated agent receives the full tool profile regardless of role, even though the included permission profiles describe least-privilege role-specific tools with exec disabled for several roles.
Skill content
tools: {profile:'full'},Recommendation
Apply the documented per-role permission profiles in code, keep exec/process/browser disabled unless needed, and ask the user before granting elevated tools.
Concern
ASI08: Cascading FailuresWhat this means
Creating one team could overwrite or remove existing agents with the same generic IDs, potentially breaking unrelated teams or workflows.
Why it was flagged
Only the team leader is team-prefixed; specialist agents keep generic IDs such as product-manager, and existing agents with those IDs are removed from the global OpenClaw config before new ones are added.
Skill content
const roleIdMap = new Map(roles.map(r => [r, (r==='team-leader' ? leaderId : r)])); ... cfg.agents.list = cfg.agents.list.filter(a => !resolvedRoleIds.includes(a?.id));
Recommendation
Team-prefix all generated agent IDs, detect collisions before writing, show a config diff, require approval for replacements, and create a fresh backup for every run.
What this means
The environment could gain extra skills the user did not explicitly approve, increasing supply-chain and permission risk.
Why it was flagged
The provisioning instructions allow automatic installation of optional third-party skills after scanning, with only a post-install report for non-blocked items.
Skill content
Default policy: install both **required** and **optional** skills automatically... No per-item confirmation is required under this policy;
Recommendation
Make optional skill installation opt-in, require user confirmation for each skill with source/version/risk details, and install only required dependencies by default.
What this means
A malformed team or role name could cause files to be created or overwritten outside the intended team workspace.
Why it was flagged
Team and role values from CLI arguments are used in filesystem paths without code-level validation for safe characters, path separators, or dot segments.
Skill content
const team = args.team; ... const teamRoot = `/root/.openclaw/workspace-${team}`; ... fs.writeFileSync(path.join(agent.workspace,'SOUL.md'),soul);Recommendation
Enforce a strict allowlist for team and role IDs before any file or config writes, reject path separators and '..', and verify resolved paths stay under the intended workspace.
What this means
Using the skill runs local Node scripts that can modify OpenClaw configuration, but the artifact does not show hidden remote command execution.
Why it was flagged
The static scan flagged child_process usage; in context, it runs bundled local scripts as the skill's stated single entrypoint flow.
Skill content
const r = spawnSync('node', [new URL(file, import.meta.url).pathname, ...extra], { stdio: 'pipe', encoding: 'utf8' });Recommendation
Keep script targets fixed to bundled files, avoid arbitrary command execution, and document that the skill executes local scripts during team creation.
What this means
A broad bot token or account could let the created team read or post in more channels than intended.
Why it was flagged
Channel credential handling is purpose-aligned for bot binding and requires user input, but users should notice that credentials may be used to bind the team leader to an external channel.
Skill content
After user provides channel token/credentials, perform binding automatically.
Recommendation
Use a dedicated, least-privileged bot/account and review groupPolicy, requireMention, and allowlist settings before binding.