Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Solo CEO
v2.1.0一人公司主 Agent 技能。当用户希望 AI 作为"主控 CEO Agent"协调多个预建的长期员工 Agent 完成任务时触发。适用于:任务拆分与分发、多 Agent 协作对话、模拟真实公司沟通流程(最多5轮对话)、最终汇总报告给用户。核心能力:CEO Agent 理解任务、将任务分发给员工 Agents、收...
⭐ 0· 128·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (CEO coordinator for multi-agent workflows) matches the high-level instructions, but SKILL.md requires enabling agentToAgent in openclaw.json and a per-agent workspace under ~/.openclaw/workspace-<agentId> (read/write of SOUL.md, MEMORY.md, etc.). The published metadata declares no required config paths or credentials — an inconsistency. If the skill truly needs filesystem access to ~/.openclaw and to the OpenClaw config, those should have been declared.
Instruction Scope
The runtime instructions explicitly direct the agent to read and update files in user workspaces (MEMORY.md, SOUL.md, create plan.md), and to modify/require openclaw.json to enable agentToAgent. That is within the skill's functional scope but broad: it persists learned preferences to disk and asks employees to read MEMORY.md as the sole source of CEO preferences. There is no guidance on sanitizing secrets or avoiding storing sensitive task details in MEMORY.md; this risks accidental long-term persistence of user data. The instructions also assume push events and sessions_yield semantics in the runtime environment, which may not exist for all deployments.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is the lowest install risk: nothing will be downloaded or written by an installer step. The security surface is entirely the runtime behavior described in SKILL.md.
Credentials
Registry metadata declares no required environment variables or config paths, yet SKILL.md requires modification of openclaw.json and read/write access to ~/.openclaw/workspace-<agentId> files. The absence of declared config paths/permissions is disproportionate to the delivered instructions and is a meaningful omission that could surprise users about file system access.
Persistence & Privilege
The skill does not set always:true and allows autonomous invocation as normal. However, it instructs persistent changes to per-agent workspace files (MEMORY.md) and expects the user to enable agentToAgent in openclaw.json. Those behaviors imply persistent state and write access in the user's home/config, which elevates privilege compared with an instruction-only coordinator that only routes messages. This persistent file-writing ability is not reflected in the metadata.
What to consider before installing
Before installing or running this skill:
- Understand that SKILL.md expects the agent to read and write files under ~/.openclaw/workspace-<agentId>/ and to require agentToAgent=true in openclaw.json. The registry metadata does not declare those paths — treat that as an omission.
- If you will store any sensitive data in tasks, avoid letting employees write it into MEMORY.md; treat MEMORY.md as persistent and review its contents regularly.
- Only enable agentToAgent if you trust the agents and runtime environment; enabling it opens inter-agent messaging and persistent workspace I/O.
- Consider running the skill in a sandboxed account or limited environment so workspace files are isolated, and inspect any files it creates (SOUL.md, MEMORY.md, plan.md).
- Ask the publisher (or require a metadata update) to explicitly declare required config paths and file access in the registry entry, and to add guidance on secret handling and sanitization.
- If you need a lower-risk alternative, use a coordinator that does not persist data to the host filesystem or that documents exactly what it will read/write.Like a lobster shell, security has layers — review code before you run it.
latestvk975d8bgv00aqd737bcragbw79838z6s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.