agent-creator

The skill bundle automates the creation of new OpenClaw agents, which involves high-risk operations such as modifying the primary 'openclaw.json' configuration and copying sensitive credential files ('auth-profiles.json', 'models.json') that likely contain API keys. The accompanying Python script 'scripts/agent_creator.py' is vulnerable to path traversal because it fails to validate the 'agent_id' input before using it to construct file system paths for directory creation and configuration entries. While these capabilities are plausibly needed for the stated purpose of agent scaffolding, the combination of credential handling, system-level configuration changes, and unvalidated input represents a significant security risk.