Security audit

调控员

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only multi-agent dispatcher that openly delegates work and writes coordination records, but users should understand it persists task state and depends on separate subagents.

Install only if you want an OpenClaw workflow that delegates tasks to alpha/bravo/charlie/delta/echo and verifier agents. Review those subagents separately, avoid putting secrets in task descriptions or progress files, and clear memory/progress, regressions.md, and CURSOR_SYNC.md when you do not want task history retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The skill advertises the dispatcher as 'purely dispatching' and forbids execution tools, yet later requires the dispatcher to create, read, append, and interpret local progress and memory files. This contradiction is dangerous because it obscures the agent’s real capabilities and side effects, making policy review and user consent unreliable.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The document explicitly bans direct read/write/edit tools for the dispatcher, but later mandates direct file creation, progress reads during crash recovery, and appends to memory and sync files. Conflicting rules like this create unsafe fallback behavior: implementations may bypass intended controls or silently perform privileged local writes under the guise of orchestration.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill mandates writing progress, daily memory, and CURSOR_SYNC files as part of normal completion, but does not clearly warn users up front that persistent workspace files will be modified. Hidden persistence is risky because it can store task metadata or user content beyond the immediate session, surprising users and complicating privacy and audit expectations.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The skill also requires persistent logging of failures and regressions to files without clear user notice. Even if intended for diagnostics, these records can accumulate sensitive operational details, error messages, paths, or fragments of user requests, creating avoidable privacy and information-retention risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.