快速创建AI智能体虚拟公司

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real OpenClaw company/team builder, but it also grants broad ongoing assistant, monitoring, configuration, account, and skill-management powers beyond a clearly bounded setup task.

Install only if you intentionally want a high-control OpenClaw company administration skill. Before use, back up ~/.openclaw/openclaw.json and the workspace, review the generated AGENTS.md/TOOLS.md/HEARTBEAT.md files, and avoid enabling email, calendar, social, git push, Telegram account changes, or skill distribution/deletion unless you explicitly need those powers and can review each change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (13)

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: This section expands the skill from 'company builder' into a general-purpose personal assistant that may browse the web, access calendars, and act broadly within the workspace. That scope mismatch is dangerous because a user invoking a company-setup skill would not reasonably expect it to obtain or act on unrelated personal data or services.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The heartbeat section authorizes persistent background monitoring, proactive outreach, memory maintenance, and project checks that are unrelated to building a virtual company. This creates an overprivileged agent behavior pattern that can lead to surveillance-like access, unwanted messaging, and actions outside the user's immediate intent.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Checking email, calendar, social mentions, and weather is unrelated to the stated purpose of creating company structures and documents. These instructions encourage access to sensitive external data sources without a functional need, increasing privacy and data-exposure risk.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Authorizing the agent to commit and push changes exceeds the minimum privileges needed for drafting company files and can cause unauthorized repository modification or publication. Even if intended for convenience, source-control write and network publication are sensitive actions that should require explicit confirmation.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill includes capability to distribute and delete other skills after the initial company-building flow, which expands its authority beyond the declared purpose of creating an organizational structure. This creates a supply-chain and privilege-expansion risk because a broadly triggered skill could copy executable skill content into global or per-agent locations and modify TOOLS.md across many agents without a tightly scoped, separately authorized workflow.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The employee termination workflow instructs modification of Telegram routing and account configuration in addition to agent records. This crosses from content generation into live communications infrastructure management, so accidental or unintended activation could disable bots, reroute messages, or break communication channels for unrelated agents.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The heartbeat trigger is defined by matching a configured prompt, which is broad and susceptible to accidental or adversarial invocation. In a skill that already grants proactive behavior, ambiguous triggering can cause unintended background execution and unauthorized checks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The instruction to delete BOOTSTRAP.md on first run directs file destruction without user confirmation or even preservation guidance. Even if the file is intended to be temporary, silent deletion can remove auditability, setup provenance, or user-authored content unexpectedly.

Vague Triggers

High

Confidence: 94% confidence
Finding: The trigger list is extremely broad and includes common words like '团队', '员工', '合作', and '技能', which can cause the skill to activate during ordinary conversation unrelated to company provisioning. In this skill, unintended activation is especially risky because the documented workflow ultimately performs real filesystem and configuration changes under ~/.openclaw after a confirmation step, so over-triggering increases the chance of steering users into privileged state-changing operations they did not explicitly intend.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly instructs the agent to create directories/files and modify OpenClaw configuration, but the README does not require an upfront, prominent user-facing warning before the workflow begins. Because these are persistent system changes, users may not understand that normal conversation will lead to writes under ~/.openclaw and config edits until late in the process.

Vague Triggers

High

Confidence: 98% confidence
Finding: The trigger list is extremely broad and includes everyday terms such as team, employee, cooperation, skills, hiring, and management. Because the skill performs real file and configuration changes after confirmation, overbroad activation materially increases the chance that it is invoked in unrelated conversations and shepherds users into a destructive workflow they did not intentionally request.

Vague Triggers

High

Confidence: 92% confidence
Finding: The manifest description uses ambiguous intent-based activation criteria without clear boundaries, causing the skill to match loosely related requests about companies, teams, or collaboration. In a skill that later writes directories and edits OpenClaw configuration, ambiguity at activation time increases the risk of unintended privileged operations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The workflow description does not prominently warn, before the user enters the process, that confirmation will create directories, write multiple markdown files, and modify OpenClaw configuration under the user's home directory. This undermines informed consent and makes broad-trigger activation more dangerous because users may not realize they are entering a persistent system-modification flow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal