Agent Team Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed team-management plugin that stores team data locally and uses it to guide the agent, with no evidence of exfiltration or destructive behavior beyond resetting its own data file.

Install only if you want OpenClaw to automatically use locally stored team-member information to guide the leader agent's behavior. Keep ~/.agent-team/team.json factual and non-sensitive, avoid putting instructions or secrets in team fields, and disable the plugin or reset the team file if you no longer want this context applied.

SkillSpector

By NVIDIA

Vulnerability Patterns

System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill declares only limited tools in front matter, but the documented behavior clearly reads and writes a persistent file at ~/.agent-team/team.json and may rely on environment/user-home context. That mismatch weakens permission transparency and user consent, making it easier for a skill to persist or modify data beyond what its declared interface suggests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The skill is presented as a team-management/delegation utility, but the behavior described by the finding indicates hidden prompt-context injection: team data, delegation rules, and PDCA instructions are inserted into system prompt construction, especially for the leader agent. Undisclosed prompt injection changes model behavior and decision-making authority, can bias outputs across unrelated tasks, and creates a covert control channel not apparent from the user-facing description.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest describes explicit team-management/delegation functionality, but the implementation silently appends team data into the system prompt for the leader on every prompt build. This creates hidden behavior and an implicit data flow that can expose internal team metadata and influence model behavior without a user-visible action or consent boundary.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Team member data is inserted into the system prompt without user-facing disclosure, which can leak sensitive internal metadata such as names, roles, tags, expertise, and workflow preferences into model context. Because the content comes from a local JSON file and is treated as trusted system-context text, a malicious or careless entry could also shape the assistant's behavior or expose organizational details unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal