Agent Swarm - 多智能体集群编排

Security checks across malware telemetry and agentic risk

Overview

This is a coherent multi-agent orchestration skill, but it deserves Review because it enables command execution, browser automation, scheduled jobs, broad file changes, and persistent prompt memory without strong guardrails.

Install only if you want agents that can write files, run commands, automate a browser, and create scheduled jobs. Before use, review the OpenClaw config, disable cron/browser/exec for agents that do not need them, require exact command and cron previews before execution, keep credentials out of experience memory, and avoid using untrusted agent IDs or base paths with the helper scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The guide grants the automator agent high-risk capabilities including exec, process, cron, and browser, even though the skill is described primarily as multi-agent task decomposition and orchestration. Combining scheduled execution with code execution and browser access increases the attack surface and enables persistence, unattended actions, or abuse if the automator receives unsafe prompts or is compromised.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The setup guide instructs users to place raw API keys directly into a JSON configuration example, which encourages insecure secret handling for a skill whose purpose is orchestration rather than credential management. This can lead users to store secrets in plaintext files that may be copied, logged, or checked into version control.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The tool provisions agent templates with broad capabilities such as write access by default, network access for the researcher template, and exec/process permissions for the coder template. In a multi-agent orchestration skill, creating subordinate agents with powerful filesystem and execution privileges expands the attack surface and can enable prompt-injection-driven file tampering, data exfiltration, or arbitrary command execution if these agents are later invoked on untrusted tasks.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script constructs write paths from user-controlled `--base-path` and `agent_id` without constraining them to an approved root or validating path traversal sequences. In a multi-agent environment, this allows a caller to create or overwrite files outside the intended agent memory area, which can tamper with other agent state or clobber arbitrary writable files on the host.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document advertises agents that can write files, execute commands, and set cron jobs, but it does not prominently warn users about these state-changing and persistent actions. In practice, this can lead to silent system modification, scheduled task persistence, or unsafe execution initiated under a broad orchestration umbrella.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The experience injection mechanism reuses stored historical content by inserting it into future prompts without any warning about privacy, integrity, or cross-task contamination risks. If prior memory contains secrets, user-specific data, or adversarial text, it can be propagated into later tasks and influence downstream agents unexpectedly.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document shows an API key field populated as a direct configuration value without any caution about secure storage, exposure, or rotation. This is dangerous because users commonly copy such examples verbatim, leading to plaintext credential storage and potential compromise of paid model endpoints or connected services.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The permanent deletion branch calls shutil.rmtree(agent_path) directly when --no-backup is supplied, with no interactive confirmation, dry-run, or additional safeguard. Because agent_id and base_path are user-controlled, operator mistakes or unsafe automation can irreversibly delete agent data, making accidental destructive actions more likely in an orchestration environment managing multiple agent workspaces.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The tool stores arbitrary free-form `experience` text and later emits it verbatim through `inject_experiences()` for insertion into prompts. In an agent-swarm skill, that memory becomes cross-task prompt input, so a user can plant prompt-injection instructions, secrets, or misleading guidance that persists and influences future agent behavior or leaks prior sensitive content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal