ClawHub
Back to skill

Security audit

multi-agent-comm

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only multi-agent communication skill whose session, agent, and setup guidance is aligned with its stated purpose, though users should handle resumed sessions and API keys carefully.

Install only if you intend to use OpenClaw multi-agent sessions. Review which agents share workspaces, skills, environment variables, and session history. Prefer fresh sessions for sensitive work, resume only sessions you recognize, and keep API keys in a secure secret store rather than plaintext configs or copied folders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide tells users to resume sessions using an ID obtained from a local sessions directory, but does not warn that resumed ACP sessions may include prior prompts, memory, credentials, or task outputs from earlier work. In a multi-agent communication skill, this omission is more dangerous because cross-agent context reuse can unintentionally expose sensitive data to the wrong workflow or operator.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The migration checklist instructs users to set necessary API keys and proxies on a new device without any guidance on secure credential handling. In a setup guide for multi-agent orchestration, weak handling of shared credentials can enable unauthorized agent access, data exposure, or compromise across multiple integrated skills and services.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal