Ai Collab
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed multi-agent daemon, but it encourages agents to act and approve prompts without asking, use stored credentials broadly, and trust unauthenticated inbox/chat-log messages.
Install only if you intentionally want a long-running autonomous agent-collaboration setup. Before using it, remove or narrow the non-negotiable no-permission prompt, disable default Yes approvals, restrict inbox and log permissions, define exactly which credentials may be used, and avoid connecting Telegram or other external inputs unless you are comfortable with those messages being logged and routed into agents.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The primary agent could proceed with actions the user expected to review first.
The artifact instructs users to install a system-prompt-level policy that overrides normal permission-seeking and makes autonomous execution the default.
Add this to Jim's system prompt... WORKFLOW RULES — NON-NEGOTIABLE... You do not wait. You do not ask permission. You execute, log, and move forward.
Do not use this prompt as a blanket system prompt; rewrite it to require explicit user approval for sensitive, irreversible, account-changing, or credential-using actions.
A safety, file-write, command, or account prompt in the daemon session could be accepted without the user seeing the prompt contents.
The helper defaults to sending Yes into the daemon's tmux session without checking what prompt is being approved.
RESPONSE="${1:-Yes}" ... tmux send-keys -t "$SESSION" "$RESPONSE" EnterRemove the default Yes behavior and require an explicit, prompt-specific human confirmation before sending keys to the daemon session.
Stored secrets or account access could be used by autonomous agents beyond what the user intended for a specific task.
The guidance implies the agent may use credentials already present in ~/.openclaw/.env and proceed with lower-value irreversible financial actions without escalation.
Escalate ONLY when: ... Password/2FA needed that isn't in ~/.openclaw/.env ... Decision with irreversible financial consequences > $20
Define an explicit credential allowlist, require per-task approval for credential use, and avoid authorizing any financial or account-changing action by default.
Another local process, accidental file write, or bridged message could steer the daemon and inject content into the main agent's context.
Any file moved into the inbox is treated as an Agent A message, sent to a model, and then routed back into the main OpenClaw agent without sender authentication.
inotifywait -m -e moved_to "$INBOX" ... MSG=$(cat "$FULLPATH") ... openclaw agent --agent main -m "[$AGENT_B_NAME]: $RESPONSE"
Restrict inbox permissions, validate message origin, use per-session nonces or signatures, and clearly label all received content as untrusted.
Edited, forged, or stale chat-log entries could be replayed into the main agent as if they came from Agent B.
The persistent chat log is treated as a trusted message bus; matching log lines are forwarded to the main agent without integrity checks.
tail -n +"$((LAST + 1))" "$LOG" | grep "$AGENT_B_NAME -> " ... openclaw agent --agent main -m "[$AGENT_B_NAME]: $line"
Protect the log file with strict permissions, separate audit logs from command channels, and avoid forwarding raw log lines as trusted agent messages.
The background agent may continue processing inbox messages until the tmux session, cron job, or daemon is stopped.
The long-running daemon loop is disclosed and central to the skill's purpose, but it means the agent can keep operating after initial setup.
inotifywait -m -e moved_to "$INBOX" 2>/dev/null | while read dir event file; do
Only run it deliberately, document how to stop it, and monitor active tmux/cron processes.