Back to skill
Skillv1.3.0
ClawScan security
Team Projects · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 17, 2026, 2:01 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files mostly match a multi-agent project manager, but there are several incoherent and risky details (hardcoded local paths, instructions that make agents run local node scripts, and recommendations to grant overly-broad agent/tool privileges) that warrant caution before installing.
- Guidance
- This package implements the UI and local scripts needed for multi-agent project management, but several red flags deserve attention before you install it: - Hardcoded local path: the Control view instructs an agent to run a Node command at '/home/charl/.openclaw/.../project-store.js'. That looks like a leftover developer path and would fail or, worse, cause an agent to run unexpected local binaries. Insist that the author make commands relative to the installed plugin path or configurable (TEAM_PROJECTS_DIR), and remove developer-specific absolute paths. - Agents executing local commands: the view uses sessions.send to ask an agent to run a local CLI script. Confirm whether your agents are allowed/able to execute such commands and audit what those scripts do. If you do not want agents to run arbitrary local commands, do not enable the recommended exec/sessions_send permissions. - Broad permissions recommended: the example config and SKILL.md advise allowAgents: ["*"] and tools.allow: ["*"]. These are convenient but grant wide access across agents and tools. Prefer least privilege: only allow the coordinator the specific agent IDs and tools it needs. - Optional HTTP API with CORS '*': gateway-handlers.js can start an HTTP server if TEAM_PROJECTS_PORT > 0. If you enable it, bind to localhost only as shown and protect it with auth or firewall rules; CORS '*' plus no auth could expose project data to local web pages. - Code review & sandboxing: because the skill reads/writes files under ~/.openclaw and runs Node scripts, review project-store.js and orchestrator.js in full (especially writeFileSync/appendFileSync usage) and test in an isolated environment before adding to production. What would increase confidence: an updated SKILL.md removing hardcoded paths, a configuration option to point to the installed plugin directory, concrete minimum permission requirements (exact tools/agent IDs), and confirmation that the HTTP API supports authentication or is disabled by default. If you provide the omitted remaining files, I can re-check for other risky patterns (network calls, credential use, shell exec).
Review Dimensions
- Purpose & Capability
- noteThe name/description match the provided code: UI plugin code, project-store, orchestrator, and gateway handler scripts implement project boards, task routing, and multi-agent orchestration. Requiring edits to the OpenClaw UI and plugin registration is consistent with adding a Control UI plugin. However, some example config and view code recommend broad permissions (allowAgents: ["*"], tools.allow: ["*"]) that are more permissive than strictly necessary and weaken the principle of least privilege. Also the view code asks an agent to run a Node CLI at an absolute developer path (/home/charl/...), which is inconsistent with a normal install flow.
- Instruction Scope
- concernSKILL.md instructs modifying OpenClaw internals (expected for a plugin) but also contains instructions and code that direct agents to run local CLI scripts and read/write files under the host user's home (~/.openclaw/workspace/team-projects). The team-projects view explicitly sends a sessions message that tells an agent to 'node /home/charl/.../project-store.js list' — hardcoded absolute path and instructing an agent to execute local commands is unexpected and broad. The gateway handler optionally starts an HTTP API (if TEAM_PROJECTS_PORT set) with CORS '*' and no auth by default, which could expose local project data if enabled. The skill's instructions therefore include file I/O and command execution beyond mere UI rendering.
- Install Mechanism
- okNo external install/downloads are used; this is instruction + source files the integrator must copy into the OpenClaw codebase. That reduces supply-chain download risk. The install requires direct edits to the application's source and build registration (patching tsdown.config.ts, loader, package.json exports), which is invasive but coherent for a UI plugin.
- Credentials
- concernThe skill declares no required env vars, but the code uses optional environment variables (TEAM_PROJECTS_DIR, TEAM_PROJECTS_PORT) and defaults to HOME or /root. Example configs and SKILL.md recommend enabling agentToAgent.allow: ["*"] and coordinator subagents.allowAgents: ["*"], and the example agent 'main' has tools.allow: ["*"]. Granting '*' to agent-to-agent and tool capabilities is broad and disproportionate for many deployments. The hardcoded absolute path in the view code is also environment-specific and unjustified.
- Persistence & Privilege
- noteThe skill requires persistent changes to OpenClaw configuration and source (plugin SDK entry, build registration, app render/gateway patches), which is expected for a UI plugin. It does not set always: true and does not claim elevated platform privileges. Still, the recommended config changes (allowAgents: ['*'], wide tool allow lists) increase the skill's runtime reach and persistence across agent sessions.