Triumvirate Protocol
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: triumvirate-protocol Version: 1.0.0 The `protocol.py` script is classified as suspicious due to its direct access to the OpenClaw agent's `auth-profiles.json` file, which contains sensitive API keys. While the script uses these keys for its stated purpose of orchestrating multi-model debates, the capability to read this credential store is a significant security risk that could be exploited for credential theft if the skill were compromised or malicious. Additionally, the script uses `subprocess.run` to execute `curl` for Grok API calls, a powerful primitive that, while carefully implemented here, generally increases the attack surface compared to native HTTP libraries. There is no evidence of intentional malicious behavior or prompt injection against the OpenClaw agent itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the tool may use local Google, xAI, or OpenAI credentials that the skill did not clearly declare, potentially causing API usage or account activity under those profiles.
The code reads provider tokens from the main OpenClaw auth-profile store using hard-coded profile names. That credential access is not reflected in the supplied metadata, which declares no primary credential, env vars, or required config paths.
AUTH_PROFILES = Path.home() / ".openclaw" / "agents" / "main" / "agent" / "auth-profiles.json" ... return {"google": profiles.get("google:vegard", {}).get("token", ""), "xai": profiles.get("xai:vegard", {}).get("token", ""), "openai": profiles.get("openai:vegard", {}).get("token", "")}Declare the credential/config requirements, let the user choose which provider profiles to use, and require explicit confirmation before using stored tokens.
An xAI API token could be exposed locally while the request is running, depending on the operating system and monitoring tools.
The xAI bearer token is placed directly in a local `curl` command-line argument. On some systems, process arguments can be visible to other local processes or logs, weakening credential containment.
subprocess.run(["curl", "-s", "--max-time", "120", "https://api.x.ai/v1/chat/completions", "-H", "Content-Type: application/json", "-H", f"Authorization: Bearer {api_key}", "-d", payload], ...)Use a native HTTP client or another method that does not place bearer tokens in process arguments, and document the dependency if `curl` is still required.
Identity snapshots, beliefs, contradictions, and debate content may be sent to third-party AI providers during debate rounds.
The skill clearly intends to share identity summaries and debate history across external model providers. This is purpose-aligned, but it is sensitive data movement users should notice.
Orchestrates debates across multiple AI providers (Anthropic, Google, xAI, OpenAI) ... **Identity injection**: each participant sees others' beliefs, traits, contradictions ... Persistent threads with full history
Use only identity data and topics you are comfortable sending to the selected providers, and add clear per-provider disclosure or redaction controls.
Old debate messages or identity files could shape future outputs in ways the user may not expect.
Persistent thread messages and identity graphs are reused directly in future prompts. This matches the skill design, but stored context can influence later model behavior if it is inaccurate or poisoned.
THREADS_FILE = TRIUM_DIR / "threads.json"; IDENTITY_DIR = WORKSPACE / "identity" ... history += f"\n{emoji} **{src.upper()}** ... {content}\n" ... "YOUR CO-PARTICIPANTS (with their identity graphs):"Provide review/reset controls for stored threads and identity context, and clearly separate stored content from trusted instructions in prompts.
The Grok/xAI path may fail or rely on whatever `curl` binary is present on the user's system.
The code depends on the local `curl` binary for xAI calls, while the registry requirements say no required binaries. This is an under-declared runtime dependency rather than evidence of unrelated execution.
import subprocess ... ["curl", "-s", "--max-time", "120", "https://api.x.ai/v1/chat/completions", ...]
Declare `curl` as a required binary or replace it with a standard Python HTTP implementation.