Multi-Agent Brand Studio

Security checks across malware telemetry and agentic risk

Overview

This skill makes broad but disclosed OpenClaw setup changes for a persistent multi-agent brand workflow, and I found no artifact-backed deception, exfiltration, or destructive behavior.

Install this only if you want OpenClaw to become a persistent multi-agent brand operations environment. Review the dry-run output first, confirm the Telegram bot/channel configuration, understand that cron jobs can send owner updates and recover stale tasks, and set your own boundaries for what brand or client information may be stored in local memory files. Use explicit approval language for publishing decisions and back up QMD or memory data before following uninstall deletion steps.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are broad, natural-language commands that could plausibly appear in ordinary conversation and unintentionally activate setup or workflow behavior. In a skill that scaffolds workspaces, patches configuration, and changes routing state, accidental invocation can lead to unintended environment modification or operational side effects.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README admits that installation scaffolds directories, patches openclaw.json, adds permissions, and configures execution paths, but it does not present these changes as a prominent warning with explicit user consent requirements. In practice, users may trigger setup without appreciating that it performs persistent file-system and configuration modifications, increasing the risk of unsafe installation in sensitive environments.

Missing User Warnings

High

Confidence: 91% confidence
Finding: This job is configured to autonomously modify memory files and send Telegram messages without any user-facing disclosure or approval checkpoint. In practice, that can leak sensitive operational context to an external channel or cause silent persistence/manipulation of workspace state on a recurring schedule.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This recovery job combines shell execution, file edits, session inspection, automatic redispatch, and message editing with no disclosure or approval barrier. That tool combination materially increases risk: malformed task data or compromised state could trigger unauthorized command execution paths, tamper with task records, or send misleading status updates externally and recursively requeue work.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: Using a broad conversational phrase like "looks good" as an approval trigger can cause unintended state transitions from pending review to approved. In chat-based workflows, users often use such language informally or in reference to only part of a draft, so an agent may misinterpret casual feedback as authorization for downstream posting actions, especially as future auto-posting is explicitly contemplated.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The uninstall instructions include deleting the SQLite database file but do not clearly warn that this permanently removes indexed memory data. Even though the step is marked optional, an agent or user following the instructions may execute it without understanding the data-loss consequence, making this a real safety issue in operational use.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill instructs the agent to always write generated media into a fixed local directory under the user's home folder without any disclosure, consent, or workspace scoping. This creates a persistence channel for generated artifacts that may contain sensitive brand assets or task data, and it can lead to unintended data retention or cross-task exposure on shared systems.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The memory instructions direct the agent to persist task-derived information and brand learnings into local memory files with no privacy boundaries, retention policy, or sensitivity filtering. This can cause confidential client information, proprietary marketing strategy, or cross-brand context to be retained and later surfaced in unrelated tasks.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The file instructs the agent to write to `memory/YYYY-MM-DD.md` and update `MEMORY.md` as part of normal task completion, but it does not require explicit user approval or clearly surface that workspace files will be modified. In an agent setting, implicit persistent writes can create integrity and privacy risks by altering local state, recording sensitive task context, or poisoning future runs through accumulated memory.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal