Skillv1.0.0

ClawScan security

Agent Swarm - 多智能体集群编排 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 9:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill is broadly coherent with a multi-agent orchestration purpose, but it asks you to modify local OpenClaw configuration, trusts a private model provider, gives some agents exec/process rights, and the SKILL.md contains a prompt-injection signal (unicode-control-chars) — these things warrant caution before installing.
Guidance: What to consider before installing/use: - Backup your OpenClaw config (~/.openclaw/openclaw.json) before applying any template changes. The skill instructs merging its agents list into your config and restarting the gateway. - The skill assumes a 'chj-private' provider and specific model IDs. Verify the provider endpoint (the template uses http://127.0.0.1:8765) and do not add API keys or endpoints you don't control. If you must add credentials, treat them like secrets and confirm the provider is trusted. - Several agents (coder, automator, analyst) are allowed to run exec/process operations (shell commands). That is coherent for code/automation tasks but increases risk if an agent is given or generates malicious commands. Only grant such permissions in an isolated or well-monitored environment. - The experience_logger supports injecting past experiences into prompts. If those memories may contain sensitive data, consider sanitizing or limiting memory content before allowing injection. - The SKILL.md contains detected unicode control characters (possible prompt-injection obfuscation). Open the file in a text editor that can reveal hidden characters and remove them or request a clean copy from a trusted source. - Recommended safe steps: inspect the scripts locally, run init scripts in an isolated test workspace (not production), and review/approve any config changes manually rather than blindly copying templates.
Findings: [unicode-control-chars] unexpected: Scanner found unicode control characters in SKILL.md. This is not expected for a documentation/configuration file and can be used for prompt injection or obfuscation. Recommend inspecting SKILL.md and removing/normalizing hidden characters before use.

Review Dimensions

Purpose & Capability: okName/description (multi-agent orchestration) match the included files and instructions: configuration templates, init and management scripts, spawn examples and a permissions matrix. The provided scripts (init_agents, agent_manager, experience_logger) are appropriate for creating and managing agent workspaces.
Instruction Scope: noteSKILL.md instructs editing ~/.openclaw/openclaw.json, restarting the gateway, and creating /workspace/agents directories — these are expected for enabling multi-agent orchestration, but they do ask the operator/agent to read/write local configuration and filesystem paths. The skill also recommends injecting experience snippets into prompts which can surface prior task data. No unrelated system-wide reads are requested, but the scope touches user config and runtime services.
Install Mechanism: okInstruction-only skill with no external install downloads. Code files are included in the skill bundle (no external network installs), so nothing will be fetched from arbitrary URLs during install. This is lower risk from an install standpoint.
Credentials: noteThe skill does not declare required environment variables, but it expects the user to configure a 'chj-private' model provider (baseUrl and apiKey) in OpenClaw config. That is reasonable for a skill that references specific models, but it requires adding credentials/config to your local openclaw.json. Also several agents (coder, automator, analyst) are explicitly allowed exec/process which grants them the ability to run shell commands — coherent for their roles but raises potential for unintended command execution if the agent receives or generates unsafe tasks.
Persistence & Privilege: okSkill does not request 'always: true' or other elevated permanent privileges. Its scripts create and manage files under /workspace/agents and modify the user's openclaw.json if followed manually — this is expected behavior for a configuration/management skill, but it does change local configuration when applied.