多 Agent 团队协作
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill matches its multi-agent deployment purpose, but its script broadly copies the main agent’s auth profile and uses unvalidated custom names in filesystem operations.
Install only if you intend to create persistent OpenClaw team agents. Before running the deployment script, back up your OpenClaw directory, use safe lowercase team/member names without slashes or dots, review where auth-profiles.json will be copied, and inspect the generated configuration before merging it and restarting the gateway.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Credentials or auth profiles that were originally available to the main agent may be duplicated across many persistent agent directories.
The script copies the main agent's authentication profile into each generated member agent directory, giving many new agents the same account/model access without per-agent scoping.
cp "$OPENCLAW_DIR/agents/main/agent/auth-profiles.json" ... "$OPENCLAW_DIR/agents/teams/$team/$member/agent/" 2>/dev/null || true
Prompt before copying auth files, use least-privilege per-agent profiles where possible, and clearly document which credentials are duplicated.
A mistaken or unsafe custom member name could write agent folders, session folders, and copied auth files into unintended local paths.
User-entered member names are not validated before being used in filesystem paths; names containing slashes or '..' could create directories outside the intended teams directory.
read -p "团队成员 (逗号分隔,如 frontend,backend,test): " members ... mkdir -p "$OPENCLAW_DIR/agents/teams/$team/$member"/{workspace,agent,sessions}Validate team and member IDs with a strict pattern such as ^[a-z0-9_-]+$, reject path separators and '..', and confirm the final destination paths before copying files.
Messages, session context, and browsing actions may propagate through the configured agent team if the snippet is merged.
The generated team-leader configuration permits listing/history access and spawning/sending sessions to subagents, which is expected for multi-agent collaboration but expands inter-agent data flow.
"allow": ["sessions_list", "sessions_history", "sessions_send", "sessions_spawn", "browser"]
Review the generated allowAgents and tool lists, remove browser or session tools that are not needed, and keep subagent permissions narrow.
Generated agents and their session storage can remain on disk until the user removes them.
The script creates persistent agent workspaces, auth directories, and session directories under OpenClaw; this is central to the stated purpose but remains after the script finishes.
mkdir -p "$OPENCLAW_DIR/agents/teams/$team"/{workspace,agent,sessions}Deploy only the teams you need, keep the backup, and remove unused generated agent directories and copied auth profiles when no longer needed.