ClawHub

agent-creator

Security checks across malware telemetry and agentic risk

Overview

This skill appears to create OpenClaw agents as advertised, but it makes persistent local configuration changes, copies auth profiles, and restarts the gateway with limited consent controls.

Install only if you intend to let this skill make administrator-level OpenClaw changes. Before running it, review the exact agent ID and Feishu peer IDs, inspect what auth-profiles.json grants, prefer a least-privilege profile for the new agent, and keep the openclaw.json backup so you can roll back routing changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs the agent to read and write files, execute shell commands, modify `~/.openclaw/openclaw.json`, copy runtime credentials/configuration, and restart the gateway, yet it declares no permissions or user-facing guardrails. This creates a capability/consent mismatch where a broad trigger can cause sensitive local state changes and service restarts without explicit authorization boundaries.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match many ordinary requests about creating assistants or bots, increasing the chance the skill activates in contexts where the user did not intend local system modification. Because this skill performs persistent file operations and a service restart, overbroad invocation materially raises the risk of unintended execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description does not prominently warn that the skill will change local config/files, copy runtime auth/model config, and restart a gateway process. Omitting this warning undermines informed user consent and makes a destructive or disruptive workflow appear like a harmless setup helper.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: agent-creator
description: "Full workflow for creating an OpenClaw Agent. Use when the user says 'create an agent', 'make a new agent', 'add a bot', or needs to set up a new AI assistant. Covers the complete setup process including (1) adding agent config and peer bindings to openclaw.json, (2) creating workspace directory with SOUL.md persona, (3) scaffolding required folders and files, (4) copying agent runtime configs from main, (5) restarting gateway to apply changes."
---

# Agent Creator - OpenClaw Agent Setup Tool
Confidence
87% confidence
Finding
create an agent', 'make a new agent', 'add a bot', or needs to set up a new AI assistant. Covers the complete setup process including (1) adding agent config and peer bindings to openclaw.json, (2) cr

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal