Boss Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This coordination skill is transparent about its purpose, but it asks for broad access to other agents’ histories, memory, status, and task channels without clear data-boundary or approval rules.
Install only if you intend this Boss Agent to see other agents’ conversations and memory and to send them work. Before using it, define which agents it may access, require approval for delegated operational tasks, and avoid letting it read or summarize unrelated sensitive history.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The Boss Agent could see sensitive information from other agents and direct those agents to act using their own privileges.
The skill grants itself broad authority over other agents’ histories, task channels, and status, but the artifacts do not specify permission checks, consent boundaries, or task-scoped limits.
- ✅ 读取 Ass Agent 的会话历史 - ✅ 读取 Ops Agent 的会话历史 - ✅ 向 Ass Agent 发送任务 - ✅ 向 Ops Agent 发送任务 - ✅ 查询所有 Agent 的状态
Require explicit user approval for cross-agent reads and delegated tasks, limit access to task-relevant sessions, and document which agents and permissions are allowed.
A mistaken or overbroad instruction could be passed to another agent and acted on outside the user’s immediate view.
The skill uses direct session keys to send tasks to another agent, including the Ops Agent, without describing identity verification, message provenance, authorization, or data-boundary controls.
sessions_send --session-key agent:ops:main --message "请执行运维任务:..."
Add clear inter-agent authentication, provenance labels, task confirmation steps, and limits on what can be sent to each agent.
Private or misleading content from another agent’s memory could influence the Boss Agent’s decisions or be summarized back to the user.
The skill explicitly allows reading other agents’ session history and memory, but does not instruct the agent to treat that retrieved content as untrusted, stale, or potentially sensitive.
- **跨 Agent 查询** - 可以访问其他 Agent 的会话历史、记忆、状态
Treat other agents’ history and memory as untrusted context, minimize what is retrieved, redact secrets, and disclose the source of any summarized content.
The agent may attempt to list sessions or check local agent services as part of normal operation.
The command examples are purpose-aligned for coordination and status checking, but they expose operational tool usage that users should understand before enabling the skill.
sessions_list --agent ass sessions_list --agent ops systemctl --user status openclaw-gateway-ops.service
Keep these actions user-visible and limit them to read-only checks unless the user explicitly approves a higher-impact operation.