Create Agent

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it includes unsafe guidance for extracting browser/session tokens and makes persistent OpenClaw configuration changes.

Install only if you intend to let this skill create agents and change your OpenClaw routing/team configuration. Use dry-run first, back up openclaw.json and TEAM.md, review any custom workspace path, and avoid using browser session tokens from headers, cookies, or local storage; prefer official scoped API tokens or supported login flows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Tainted flow: 'workspace_dir' from input (line 600, user input) → shutil.copy (file write)

Medium

Category: Data Flow
Content: if not args.dry_run: import shutil for f in ['IDENTITY.md', 'SOUL.md', 'AGENTS.md', 'USER.md']: shutil.copy(agent_dir / f, workspace_dir / f) log(f" 同步到工作区", 'success') # 3. 更新 openclaw.json
Confidence: 96% confidence
Finding: shutil.copy(agent_dir / f, workspace_dir / f)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The document gives explicit step-by-step instructions to locate, extract, copy, and reuse authentication tokens from browser network traffic, local storage, and account settings, then use them for CLI authentication and publishing. This enables credential harvesting and token replay; in the context of an agent skill with no legitimate administrative or security purpose stated, it materially increases the risk of unauthorized account access and misuse.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The guide normalizes handling highly sensitive credentials by telling users to inspect requests and storage for tokens and reuse them, while only adding a brief warning much later that a token is like a password. That is dangerous because it trains unsafe credential practices and can lead to accidental exposure, session theft, account compromise, and misuse of publishing privileges.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly states that the skill will create files under ~/.openclaw/agents/<id>/ and ~/.openclaw/workspace-<id>/ and automatically modify shared configuration files such as openclaw.json and TEAM.md, but it does not provide an explicit warning that running the skill changes persistent filesystem state and live agent/channel configuration. In an agent-management context, undocumented automatic writes to global config are security-relevant because users may run the tool expecting scaffolding only, while it can silently alter bindings, channels, and operational behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly states it will automatically modify shared state files like openclaw.json and TEAM.md, which can affect routing, agent bindings, and team configuration for the whole workspace. In a skill that performs provisioning, such behavior can be legitimate, but documenting it without a prominent warning, backup guidance, confirmation requirements, or scope limitations increases the risk of accidental misconfiguration or destructive changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal