Multi Agent Builder
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: multi-agent-builder Version: 1.0.0 This bundle acts as a high-privilege administrative utility designed to automate the creation and configuration of multi-agent teams. The core script `scripts/materialize_team.mjs` performs sensitive operations, including direct modification of the global `/root/.openclaw/openclaw.json` configuration and the creation of agent workspaces with broad permissions (e.g., `exec` and `process` tools defined in `references/capability-matrix.md`). While the bundle includes extensive security-oriented documentation and instructions for 'skill-vetting' and 'least-privilege' (e.g., `references/provisioning-playbook.md`), the inherent capability to auto-install third-party skills and programmatically redefine system-wide agent boundaries represents a significant risk for privilege escalation or supply chain compromise if the agent is targeted by prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
New agents may receive more ability to read, write, edit, execute, browse, or manage processes than their role requires.
Every generated agent receives the full tool profile regardless of role, even though the included permission profiles describe least-privilege role-specific tools with exec disabled for several roles.
tools: {profile:'full'},Apply the documented per-role permission profiles in code, keep exec/process/browser disabled unless needed, and ask the user before granting elevated tools.
Creating one team could overwrite or remove existing agents with the same generic IDs, potentially breaking unrelated teams or workflows.
Only the team leader is team-prefixed; specialist agents keep generic IDs such as product-manager, and existing agents with those IDs are removed from the global OpenClaw config before new ones are added.
const roleIdMap = new Map(roles.map(r => [r, (r==='team-leader' ? leaderId : r)])); ... cfg.agents.list = cfg.agents.list.filter(a => !resolvedRoleIds.includes(a?.id));
Team-prefix all generated agent IDs, detect collisions before writing, show a config diff, require approval for replacements, and create a fresh backup for every run.
The environment could gain extra skills the user did not explicitly approve, increasing supply-chain and permission risk.
The provisioning instructions allow automatic installation of optional third-party skills after scanning, with only a post-install report for non-blocked items.
Default policy: install both **required** and **optional** skills automatically... No per-item confirmation is required under this policy;
Make optional skill installation opt-in, require user confirmation for each skill with source/version/risk details, and install only required dependencies by default.
A malformed team or role name could cause files to be created or overwritten outside the intended team workspace.
Team and role values from CLI arguments are used in filesystem paths without code-level validation for safe characters, path separators, or dot segments.
const team = args.team; ... const teamRoot = `/root/.openclaw/workspace-${team}`; ... fs.writeFileSync(path.join(agent.workspace,'SOUL.md'),soul);Enforce a strict allowlist for team and role IDs before any file or config writes, reject path separators and '..', and verify resolved paths stay under the intended workspace.
Using the skill runs local Node scripts that can modify OpenClaw configuration, but the artifact does not show hidden remote command execution.
The static scan flagged child_process usage; in context, it runs bundled local scripts as the skill's stated single entrypoint flow.
const r = spawnSync('node', [new URL(file, import.meta.url).pathname, ...extra], { stdio: 'pipe', encoding: 'utf8' });Keep script targets fixed to bundled files, avoid arbitrary command execution, and document that the skill executes local scripts during team creation.
A broad bot token or account could let the created team read or post in more channels than intended.
Channel credential handling is purpose-aligned for bot binding and requires user input, but users should notice that credentials may be used to bind the team leader to an external channel.
After user provides channel token/credentials, perform binding automatically.
Use a dedicated, least-privileged bot/account and review groupPolicy, requireMention, and allowlist settings before binding.