ClawHub

Openclaw Multi Agents

Security checks across malware telemetry and agentic risk

Overview

This skill fits its multi-agent purpose, but it needs Review because it reads and reuses OpenClaw history, creates persistent agents, and under-discloses network and isolation risks.

Install only if you are comfortable letting the skill read prior OpenClaw context, create persistent agents, and reuse task-derived memory. Before use, back up ~/.openclaw, review generated config and session keys, keep agentToAgent.allow narrow, avoid putting secrets in memory or interview answers, and verify paths before running uninstall cleanup commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (28)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to call an external API (`prompts.chat`) to fetch prompt content and incorporate it into worker personas. This expands the trust boundary from local orchestration/setup into network retrieval of untrusted third-party content, creating prompt-injection, privacy leakage, and supply-chain risk not necessary for the stated function.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The metadata claims scripts run locally only with no network calls, yet the body explicitly requires a `curl` request to an external API. This is a dangerous permissions/documentation mismatch because users and reviewers may approve the skill under false assumptions, while the skill actually introduces outbound network behavior and third-party influence.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The generated WORKSPACE.md asserts that the sub-agent cannot access the main agent's sensitive files, but this shell script only creates directories and files and does not implement any OS-level isolation, ACLs, sandboxing, or process restrictions. In a multi-agent skill, this misleading trust boundary is dangerous because users may delegate sensitive work under the false assumption that separation is enforced when it is only documented.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script stores detailed interview answers in a fixed file under /tmp, which can expose potentially sensitive workflow, project, and failure information to other local users or processes depending on system configuration and umask. Using a predictable shared temporary path also enables tampering, stale data reuse, and accidental disclosure beyond the user’s expectation for a planning tool.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The generated Worker documentation claims Workers must not communicate directly with the Main Agent, yet instructs them to report via the shared session key `agent:manager:main`. That inconsistency can misroute messages into a channel associated with `main`, weakening isolation boundaries and causing status leakage, spoofing, or confused-deputy behavior in the multi-agent workflow. In this skill context, communication-path integrity is central to the architecture, so contradictory session-key guidance is more dangerous than a mere documentation bug.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The Manager identity documentation says Workers report to the Manager, but the embedded session key example uses `agent:manager:main`, which is inconsistent with the rest of the stated hierarchy. In a system that relies on generated docs as operational instructions, this inconsistency can cause agents to send messages to the wrong recipient or a shared channel, undermining separation of duties and enabling cross-session confusion or unintended data exposure.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The template documents Manager-to-Main communication primarily through the manager channel, but the escalation example sends to `agent:main:main`, creating an inconsistent and potentially privilege-bypassing route. In a multi-agent orchestration system, this can cause reports to land in the wrong session, bypass expected oversight boundaries, or confuse routing logic during urgent events.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The uninstall section instructs users to run recursive deletions against directories under ~/.openclaw without an explicit warning that the action permanently removes workspaces, memories, and session history. Even though the paths are scoped and the commands are presented as optional uninstall steps, omission of a clear data-loss warning creates a real risk of accidental irreversible deletion.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly says the skill will read existing user context, memory, and session history automatically before asking questions. In an agent skill, broad automatic access to prior context without a prominent consent boundary, scope limitation, or privacy warning creates a real data-exposure risk because sensitive information may be pulled into later reasoning or outputs beyond the user's immediate intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README advertises very broad trigger phrases such as 'Help me handle multiple things at once' and says the skill 'activates automatically.' In an agent platform, vague activation language increases the chance the skill is invoked during unrelated conversations, causing unintended orchestration behavior and possibly unnecessary access to user context or background task creation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states the skill will read 'USER.md, memory, session history' as part of onboarding, but it does not prominently warn users about the privacy implications or require explicit consent at the point of access. In a multi-agent system, this is more dangerous because context can be propagated across Manager and Worker agents, increasing the exposure surface for sensitive information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the agent to read USER.md, memory files, and recent session history before asking the user questions, but the description does not clearly warn users that historical and workspace context will be mined up front. This undermines informed consent and can surprise users with broad access to sensitive personal/project context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Writing interview responses to a predictable /tmp file without explicit notice or permission handling is a privacy and data exposure issue. The interview prompts solicit potentially sensitive business details, so silent persistence in a commonly shared temporary directory increases the chance of local disclosure or unauthorized modification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The generated markdown document includes extensive raw user-provided content such as workflows, pain points, constraints, and case studies, which may contain confidential project or organizational data. Because the script does not clearly warn that all responses will be written to disk at the chosen path, users may unintentionally persist sensitive information in a repository or shared directory.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script creates directories and overwrites multiple workspace files under `$HOME/.openclaw` without an explicit confirmation step. If run unintentionally or with a colliding `MANAGER_ID`, it can destroy or replace existing agent instructions and state, which is especially risky because these generated files define agent behavior and trust boundaries.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script recursively applies `chmod -R 755` to generated workspaces without prominently warning the user or limiting scope. This can unnecessarily broaden read/execute permissions on agent memory and configuration files, potentially exposing sensitive prompts, logs, or credentials to other local users on multi-user systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Worker workspace creation performs many file writes and then recursively changes permissions under `$HOME` without any explicit confirmation or collision handling. Because these files define agent identity, memory, and operating instructions, accidental overwrites or permission broadening can compromise agent integrity and confidentiality across the multi-agent deployment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly records interview date, interviewee identity, workflow details, and later encourages collection of pain points, examples, and process data without any privacy notice, minimization guidance, or handling instructions. In a planning/interview context, this can lead operators to collect identifiable business-sensitive information and store it in prompts, notes, or agent memory without consent or safeguards.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
These sections prompt for recent difficult cases, scenario descriptions, emotional impact, role lists, responsibilities, communication methods, information flow, and decision bottlenecks. That combination can expose confidential incidents, internal org structure, operational weaknesses, and personal data, especially because the skill is designed for multi-agent processing where collected content may be propagated across agents or logs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs persistent storage of task assignments, worker performance, issue histories, and delegation patterns in memory files without any consent, retention limits, or data-minimization guidance. This creates a durable operational record that may capture sensitive project details, personal data, or behavioral profiling of agents/users, increasing privacy and data-exposure risk if those files are later accessed, reused, or leaked.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill's documented behavior is to broadly read prior user context and memory as part of normal operation. In a multi-agent orchestration system, that materially increases exposure because multiple agents may receive or act on information sourced from historical data that the user did not intend to share for the current task.

Ssd 3

Medium
Confidence
95% confidence
Finding
The README describes persisting reusable information from tasks into shared wisdom files and injecting those entries into future messages. This creates a genuine cross-task and cross-agent data propagation channel, which can preserve and redistribute sensitive user content, secrets, or derived confidential patterns long after the original task, especially in a multi-agent system designed to pass context around.

Ssd 3

Medium
Confidence
95% confidence
Finding
These instructions explicitly direct proactive mining of private user context from profile files, memory logs, and conversation history to shape future team planning. This creates a real privacy risk because the skill centralizes and reuses sensitive contextual information beyond the immediate request, potentially exposing more data to more agents than necessary.

Ssd 3

Medium
Confidence
89% confidence
Finding
The Main agent is told to immediately relay manager reports to the user by default. Because manager reports may contain internal agent outputs, task details, paths, risks, or sensitive intermediate content, unconditional forwarding can leak information that should be filtered, summarized, or confirmed first.

Ssd 3

Medium
Confidence
93% confidence
Finding
The wisdom mechanism directs workers and managers to continuously read and write shared memory files containing task-derived lessons across sessions. This creates persistent retention and cross-task propagation of potentially sensitive user/project information, increasing privacy exposure and the blast radius of any later misuse or compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal