v1.0.0

Agent Forge

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:18 AM.

Analysis

Agent Forge is purpose-aligned but high-impact: it creates persistent agents, changes OpenClaw permissions, exposes cross-agent sessions, and uses shell helpers with unsafe path handling.

GuidanceInstall only if you intentionally want a tool that can create persistent OpenClaw agents and change gateway permissions. Before running it, review the generated gateway patch, keep tool and agent allow lists minimal, avoid sandbox `none` unless the agent is fully trusted, and use only simple validated agent IDs.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/remove-agent.sh

AGENT_ID="${1:-}" ... rm -rf "$AGENTS_DIR/$AGENT_ID"

The removal helper uses the supplied agent ID directly in an rm -rf path and only checks that it is non-empty; it does not enforce the lowercase/hyphen ID format described in SKILL.md. IDs containing slashes or traversal components could target unintended paths.

User impactA malformed or malicious agent ID could cause the helper to delete or modify the wrong local files.

RecommendationOnly use simple lowercase hyphenated IDs, review the exact paths before running removal, and add script-side validation such as a strict regex for agent IDs.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

创建完整、独立、可运行的 OpenClaw agent ... `cron`, `session_status`, `subagents`

Creating independent runnable agents with optional cron, subagent, and session tools is the stated purpose, but it creates persistent autonomous capability that should be deliberately approved.

User impactNew agents may continue to exist and operate after the initial setup unless manually configured, monitored, or removed.

RecommendationCreate only agents you intend to maintain, grant the smallest tool set needed, avoid sandbox `none` for untrusted agents, and document how each agent will be stopped or removed.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The skill includes executable shell scripts, but the registry metadata does not provide a source repository or homepage for provenance review.

User impactUsers have less external context for who maintains the skill and where updates originate.

RecommendationReview the included scripts before use and prefer installing from maintainers or repositories you trust.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

立即调用 `gateway config.patch` 更新 ... `agents.list[main].subagents.allowAgents` ... `tools.agentToAgent.allow` ... `tools.sessions.visibility` — 确保为 `"all"`

The workflow requires automatic gateway permission changes that add the new agent to subagent and agent-to-agent allow lists and make all sessions visible.

User impactInstalling or using the skill can expand which agents may communicate and what session information they can see.

RecommendationTreat each gateway patch as a privileged change: review the final patch, limit allow lists to the minimum needed agents, and avoid setting session visibility to all unless required.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL.md

调用 `sessions_list()` 查看所有活跃 session ... 取其 `sessionKey` 传入 `sessions_send`

The generated inter-agent protocol teaches agents to enumerate active sessions and send messages by session key, while the gateway patch sets session visibility to all.

User impactOther agents may be able to discover session metadata and communicate across sessions more broadly than expected.

RecommendationConstrain session visibility and agent-to-agent permissions, and avoid sharing session keys or session listings with agents that do not need them.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

scripts/deploy-agent.sh

cp "$MAIN_USER" "$AGENT_WORKSPACE/USER.md" ... cat > "$AGENT_WORKSPACE/MEMORY.md"

The deploy script copies the main USER.md into each new agent workspace and creates persistent memory files for that agent.

User impactPersonal context from the main workspace may be replicated into new agents and reused later.

RecommendationReview USER.md before copying it to new agents, remove unnecessary personal details, and periodically audit generated MEMORY.md files.