add-agent
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears to create the requested agent, but it also gives the new agent broad access by copying the main agent’s auth profiles and making all sessions visible.
Review this skill carefully before using it. It is not showing clear malicious behavior, but it can significantly expand access: the new Telegram agent may receive copied credentials from the main agent and visibility into all sessions. Prefer creating a new agent with minimal credentials, limited session visibility, and explicit approval for each copied auth profile.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The new Telegram-linked agent may inherit the main agent’s account/API access and could act with credentials the user did not intend to delegate.
The workflow copies the main agent's entire auth profile store to the new agent, with no scoping to selected credentials or separate approval step.
cp ${MAIN_AGENT_DIR}/auth-profiles.json \
${NEW_AGENT_DIR}/auth-profiles.jsonDo not copy all auth profiles by default. Require explicit confirmation, copy only named profiles the user selects, and prefer separate least-privilege credentials for the new agent.
Private conversations, task history, or user context may become visible to the new agent and reused across future tasks.
The skill instructs enabling all-session visibility for tools, which can expose session context broadly to the newly created agent.
"sessions": {
"visibility": "all"
}Keep session visibility limited unless the user explicitly approves broader sharing. Document exactly what session data the new agent can access.
A mistake in parameters or paths could alter OpenClaw configuration, workspace contents, or file ownership.
The skill uses local shell commands and direct configuration edits to create and configure the agent. This is central to the stated purpose and includes a backup/JSON validation step, but it is still a high-impact local mutation workflow.
Once a new agent request is received, execute in the following order: ... openclaw agents add ${AGENT_ID} ... Update openclaw.json ... chown -RReview the generated `openclaw.json` changes and backups before restarting the gateway, and validate that the agent ID and paths are safe and expected.
Tasks and information can flow between the main agent and the new agent after setup.
The skill intentionally enables communication between the main agent and the new agent. The allow list is narrow, but it creates a new data-flow boundary users should understand.
"agentToAgent": {
"enabled": true,
"allow": ["main", "${AGENT_ID}"]
}Verify the allowed agent list and ensure the new agent’s role, Telegram access, and session visibility match the user’s intended data-sharing boundary.
The new bot/agent may keep receiving messages and operating until disabled or removed.
The skill creates a persistent new agent and external Telegram bot binding. This is disclosed and purpose-aligned, but persistence means it continues to exist after the initial setup.
Quickly add a new isolated Agent with a dedicated Telegram Bot.
Install only if a persistent extra agent is desired, and document how to disable the Telegram account, remove the agent, and revoke copied credentials if needed.