Skillv2.0.0

ClawScan security

多 Agent 团队协作 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 2:19 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill generally does what it claims (create team directories and generate agent config) but has several incoherences and risky behaviors (hardcoded /root paths, missing required binaries, and blind copying of auth files) that you should review before installing.
Guidance: This skill mostly does what it says (create team dirs and generate agent config), but review and consider the following before installing or running it: - The deploy/verify scripts assume /root/.openclaw (hardcoded). If you run as a non-root user the script may fail; running as root will operate on global OpenClaw data. Make sure you understand and consent to writes under /root/.openclaw. - The scripts copy auth-profiles.json and models.json from the main agent into every created agent directory. Inspect /root/.openclaw/agents/main/agent/auth-profiles.json first — it may contain provider credentials or tokens you do not want duplicated. Consider removing secrets or sanitizing that file before running. - The skill metadata only lists 'bash' as required, but the scripts use python3 and the 'openclaw' CLI. Ensure python3 and openclaw are present and correct, or the script will error. The metadata should be corrected to declare these dependencies. - There are minor bugs/inconsistencies in deploy.sh (array assignment syntax, reliance on undeclared variables) that could cause unexpected behavior; review the script locally and test in a safe/non-production environment first. - Because the script writes persistent config and directory structures and grants tools (the generated snippet includes 'browser' and sessions tools), prefer running this in a staging environment and backing up openclaw.json (the script already attempts a backup). Do not run blindly on production without auditing auth-profiles.json and confirming intended models/tools. If you want to proceed: (1) inspect auth-profiles.json and models.json, (2) run the deploy script in a sandbox or test instance, (3) correct the declared required binaries to include python3 and openclaw, and (4) consider modifying the script to avoid duplicating credentials or to prompt before copying auth files.

Review Dimensions

Purpose & Capability: noteThe files and scripts match the described purpose (interactive creation of multi‑agent teams, generation of configuration snippets, directory creation). However the declared requirements list only 'bash' while the scripts invoke python3 and the 'openclaw' CLI; that mismatch is inconsistent. Also the scripts operate on /root/.openclaw (hardcoded) which is more privileged than the SKILL.md's suggested user-level install path (~/.openclaw).
Instruction Scope: concernThe deploy script will read and copy files from /root/.openclaw/agents/main/agent/auth-profiles.json and models.json into every created agent directory. Copying authentication profiles is a sensitive action (it duplicates whatever credentials/config are stored in the main agent). The scripts also require invoking openclaw CLI commands and writing into the global OpenClaw directories; these side-effects go beyond merely generating templates.
Install Mechanism: okThere is no external install/download step (instruction-only plus local scripts), so there is no remote code fetch. That's lower install risk. The included scripts are the only executable content.
Credentials: concernThe skill declares no environment variables, but it reads and copies local configuration files that likely contain credentials (auth-profiles.json). It does not request these explicitly, yet will duplicate them into many subagent directories if present. Also the metadata omits required binaries: python3 and openclaw are used but not declared.
Persistence & Privilege: concernThe scripts create and modify system/global OpenClaw state under /root/.openclaw (agents, backups, generated snippets). This requires filesystem privileges and will increase the attack surface by proliferating auth files. 'always' is false and the skill doesn't auto-enable itself, but the actions are persistent and system‑wide if run.