Find Agent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: find-agent Version: 1.3.4 The skill includes instructions in SKILL.md that direct the AI agent to perform local reconnaissance, specifically scanning the user's local filesystem (~/.openclaw/workspace/skills/) and identifying the system username (whoami) to build a user profile. While the instructions state the agent should ask for permission first, this behavior of scanning other installed skills and system identity for 'profiling' is a high-risk privacy concern and exceeds the typical requirements for a service discovery tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installed skills and usernames can reveal interests or roles, even though the analysis is disclosed and consent-gated.
The skill proposes using installed-skill names, the system username, and conversation context to infer the user's profile after asking permission.
从以下来源综合推断: ... 其他已安装 skill | 检查 `~/.openclaw/workspace/skills/` 目录 ... 系统用户名 ... 对话历史
Only approve the analysis if you are comfortable with the agent using your installed-skill list and current conversation to personalize recommendations.
Your request details may be sent to third-party agents discovered through OceanBus, and those agents' responses may shape the next interaction.
The workflow sends messages to discovered agents and uses their replies to decide follow-up inquiry messages.
用户确认 → 给每家发 --help: oceanbus send <OpenID1> "--help" ... 主控 LLM 根据 --help 中的命令描述,自动发送询价
Review what information will be sent before approving contact with external agents, especially for personal, business, or financial details.
Publishing can make your agent identity, name, tags, and description discoverable by others.
The CLI operates on the current agent identity by showing its OpenID and publishing or updating its Yellow Pages entry.
node discover.js publish <name> ... Publish your agent to Yellow Pages ... node discover.js openid ... Show current agent OpenID
Publish only profile information you intend to make discoverable, and use unpublish if you no longer want the listing visible.
A future compatible oceanbus package version could change behavior when installed.
The skill relies on an external npm package with a semver range rather than a pinned lockfile in the provided artifacts.
"dependencies": { "oceanbus": "^0.7.0" }Install from a trusted environment and consider pinning or reviewing the resolved oceanbus version if supply-chain control matters.
If you start the listener, the agent may keep responding to other agents until you stop the process.
The skill includes a documented long-running mode that can automatically respond to incoming help requests.
node discover.js listen ... Start a long-running listener that auto-responds to --help requests.
Run listen only when you want this behavior, monitor it while active, and stop the process when no longer needed.