Roundtable Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-agent discussion skill, but it needs Review because it can launch many subagents and reads local OpenClaw model configuration despite stronger privacy claims.

Install only if you are comfortable with the skill launching multiple subagents and sending your topic plus prior-round summaries to them. Do not use it for secrets, credentials, private customer data, or confidential plans unless the publisher makes local config reads opt-in and enforces a real confirmation step. Prefer explicitly supplied model settings, keep chat-room broadcasting and report persistence off unless needed, and review local OpenClaw configuration access before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (8)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The documentation and privacy note say local instance scanning is disabled by default, but the code still reads per-user config files from home directories via `_load_from_models_json()` without an equivalent opt-in. In an agent environment, this can cause unexpected local file access and disclosure of installed model/provider metadata, violating the stated trust boundary and potentially exposing sensitive environment details even if API keys are filtered.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The engine executes dynamically built tasks in spawned subagent sessions using user-controlled topic/context and prior agent outputs, creating an indirect prompt-injection and capability-amplification path. Because these subagents may have tool access and the code does not enforce strong capability restrictions or trust boundaries on propagated content, untrusted discussion text can influence downstream agent behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The report documents an independent chat-room feature that broadcasts agent discussion content to another user-visible channel, but it does not clearly warn about disclosure boundaries, consent, or what data may be forwarded. In a multi-agent discussion engine, intermediate reasoning, prompts, user-provided content, or sensitive workflow data could be exposed to unintended recipients or contexts if users enable the feature without understanding its privacy implications.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The activation examples are very broad ('RoundTable/圆桌会议/圆桌讨论等'), which increases the chance the skill is invoked unintentionally by ordinary user phrasing rather than an explicit command. In a multi-agent orchestration skill that can spawn real sub-agents and inject full discussion history each round, accidental invocation can trigger unnecessary model actions, context exposure, and resource consumption.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger list includes very generic phrases such as '圆桌讨论', '多 Agent 讨论', and '深度讨论' that can plausibly appear in normal user requests, causing the skill to activate unintentionally. In an agent system, unintended activation can redirect workflows, invoke extra sub-agents, expose more context to additional components, and create denial-of-wallet or privacy risks through unnecessary multi-agent execution.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The framework explicitly requires injecting complete discussion history into later rounds, which creates unnecessary cross-agent data exposure and increases the chance that sensitive user inputs, secrets, or internal intermediate reasoning are echoed to agents that do not need them. In a multi-agent system, broad history sharing expands the blast radius of any prompt injection, leakage, or over-retention issue because each subsequent agent receives all prior content by default.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The Host summary prompt includes the full discussion history in the final synthesis stage, which can cause prior user content and all intermediate agent outputs to be recopied into the final response even when not necessary. This is dangerous because final reports are often shared more broadly or stored longer, so any sensitive material present anywhere in the history may be unintentionally disclosed or amplified.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The usage instructions codify passing complete discussion history to subagents on every round, making overexposure a built-in operating model rather than an incidental prompt issue. In this skill context, that is more dangerous because the engine is designed for repeated heterogeneous agent routing, so any sensitive content can be replicated across many sessions and models, multiplying leakage, retention, and prompt-injection propagation risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal