Multi-Agent Coordinator

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed multi-agent coordinator, but it gives spawned workers broad edit, shell, web, and persistence authority without strong scoping or safety gates.

Install only if you are comfortable with worker agents acting under your current OpenClaw permissions. Use it in a limited workspace, inspect generated prompts before spawning workers, avoid sensitive secrets in task text or context, clean up kept sessions and .openclaw scratchpad files, and require manual approval before implementation workers edit files or run shell commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: self.tool_uses += 1 import subprocess try: result = subprocess.run( command, shell=True, capture_output=True,
Confidence: 99% confidence
Finding: result = subprocess.run( command, shell=True, capture_output=True, text=True, timeout=timeout )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill documentation describes capabilities that imply file read/write, shell execution, and possibly network-like session operations, but it does not declare permissions or clearly bound those powers. In a multi-agent orchestration skill, hidden or underspecified capabilities increase the chance that users or downstream systems grant broader access than intended, making misuse or unsafe execution more likely.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented purpose presents the skill as a production-ready coordinator, but the described behavior is broader and includes worker-side code execution, file operations, messaging, and partially simulated workflow pieces. This mismatch is security-relevant because operators may trust and deploy the skill with assumptions that do not match its actual attack surface, leading to over-privileged use or unsafe automation.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The report presents inconsistent claims about system readiness: it says the four-phase workflow has been verified successfully, while earlier text says `coordinator_v2.py` still needs to be made to actually run that workflow. In a multi-agent orchestration skill, this can mislead operators into trusting unverified automation behavior, causing premature deployment, unsafe reliance, or incorrect security assumptions about what has actually been tested.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs users to run a real worker-spawning command and describes persistent writes into the `.openclaw/scratchpad/` filesystem, but it does not clearly warn about those side effects or advise users to review generated task content before execution. In an agent-oriented skill, this increases the chance that a user or downstream agent will invoke process creation and persist data automatically without understanding the operational or security consequences.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The architecture explicitly grants workers full file read/write, shell, and web capabilities while presenting them as normal execution primitives without strong warnings, constraints, or approval boundaries. In a multi-agent system, this materially increases the chance that spawned workers perform destructive local actions or retrieve/send sensitive data based on ambiguous prompts or poisoned context.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Worker task and context data are written to .openclaw/scratchpad on disk without consent, minimization, or access-control checks. In an agent setting, tasks and context can contain secrets, internal paths, customer data, or sensitive prompts, so silent persistence increases the risk of local disclosure and later unintended reuse.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Raw worker notifications are stored to disk verbatim, and notification payloads can include arbitrary result content from workers. In this skill context, worker results may contain code excerpts, findings, credentials, environment details, or other sensitive material, so undisclosed persistence broadens the exposure surface.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: Worker task specifications, prompts, and results are persisted under .openclaw directories without any consent, minimization, or warning to the user. In a multi-agent system, these files can contain sensitive project data, instructions, findings, or secrets and may be readable by other local processes or later workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This code can launch autonomous worker agents with broad tool access based only on a task string, without any explicit confirmation or safety gate at invocation time. In the context of an orchestration skill, this materially increases risk because spawned workers may read files, modify code, or use external tools in parallel before the user understands what is happening.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The coordinator writes full worker prompts to disk, and those prompts can include task text and arbitrary context supplied by users or upstream agents. In a multi-agent orchestration system, that context may contain secrets, proprietary code, investigation notes, or credentials, so persistent plaintext storage increases the chance of later disclosure through other tools, logs, backups, or shared workspace access.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code persists raw worker notifications and results, which may include code excerpts, file paths, internal findings, tokens, secrets, or other sensitive output generated during delegated tasks. Because this is a coordinator for parallel workers, centralizing all outputs on disk broadens exposure and can leak sensitive intermediate data to anyone with access to the workspace or its backups.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal