Roundtable Skill

Security checks across malware telemetry and agentic risk

Overview

This RoundTable skill is a real multi-agent orchestration tool, but it asks for broad execution, local reading, persistence, and message-routing behavior that is not scoped clearly enough for automatic trust.

Install only after reviewing and accepting the multi-agent execution, local model-config scanning, report persistence, and notification/broadcast behavior. Use it for non-sensitive topics unless you can restrict triggers, disable broadcasting, choose an explicit output directory, and confirm that local config paths and notification destinations are tightly controlled.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill advertises operational capabilities that include environment access, file reads, and file writes, but does not declare corresponding permissions. That creates a trust and enforcement gap: users and hosting platforms cannot accurately assess what the skill may access or persist, and sensitive data could be read or written without clear consent boundaries. In this context, the risk is elevated because the skill also discusses config discovery, report persistence, and multi-session execution, which increases the chance of handling sensitive data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The declared purpose frames the skill as an implementation guide, but the documented behavior goes well beyond passive guidance into active execution: spawning subagents, sending notifications, broadcasting outputs, reading local configs, writing reports, and invoking publish/restore scripts. This mismatch is dangerous because users may authorize or install the skill expecting documentation-only behavior while it performs side-effecting operations that can expose data, alter local state, or trigger external actions. The surrounding skill context makes this more dangerous because it explicitly handles discussion history and optional broadcasting to other channels.

Intent-Code Divergence

Medium

Confidence: 79% confidence
Finding: The documentation makes conflicting claims about context injection: one section states full prior-round history is injected, while the data-handling section says only truncated summaries are injected. This inconsistency is security-relevant because it prevents users from understanding how much potentially sensitive prior content is propagated to later agents or channels, undermining informed consent and privacy controls. In a multi-agent discussion system, ambiguity about data flow can easily lead to over-sharing of confidential content.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This code scans user home-directory instance state and an environment-derived path to discover and read models.json files. Even though it claims to only extract id/name/tags, it still performs local file discovery over potentially sensitive application state, and OPENCLAW_STATE_DIR can redirect reads to attacker-controlled or unexpected locations, creating unnecessary local data exposure and trust-boundary crossing for a model-selection component.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The implementation contradicts the stated behavior by falling back to engine.chat_session_key and sending notifications through a channel other than the explicitly user-specified one. This can route discussion metadata to an unintended session, weakening user consent and creating a privacy/information-disclosure risk if the session key refers to a broader chat or stale conversation.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The package document advertises broad trigger recognition terms such as 'RoundTable/圆桌会议/圆桌讨论等' without documenting clear activation boundaries. In an agent skill, overly generic trigger phrases can cause unintended invocation on ordinary conversation, leading to unnecessary multi-agent execution, prompt hijacking opportunities, or unintended exposure of user context to spawned sub-agents.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The quick activation example ('请你 RoundTable 讨论一下：{你的议题}') is extremely generic and provides no guardrails about scope, authorization, or when the engine should refuse to run. Because this skill routes to real sub-agent sessions and passes full discussion history, accidental or adversarial triggering could amplify costs, leak sensitive context across agents, or cause uncontrolled execution of the discussion workflow.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes several generic natural-language phrases such as '圆桌讨论', '多 Agent 讨论', and '深度讨论' that may appear in ordinary conversation, making accidental activation likely. In a skill that spawns multiple sub-agents and performs a long multi-round workflow, unintended activation can waste resources, expose user context to unnecessary processing, and cause surprising behavior.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal