Openclaw Team

The skill bundle implements a multi-user Flask server for OpenClaw with several critical security vulnerabilities. Most notably, 'scripts/main.py' and 'scripts/team_chat_server.py' use the highly dangerous 'eval()' function to deserialize chat history from disk, which presents a Remote Code Execution (RCE) risk if the encrypted data is tampered with. Additionally, the bundle contains a hardcoded 'GATEWAY_TOKEN' and lacks robust input sanitization for file uploads in 'scripts/upload.py'. While these flaws are severe, they appear to be unintentional programming errors rather than intentional malice, as the overall logic remains consistent with the stated purpose of creating a local collaboration interface.