Back to skill

Security audit

Openclaw Skill Gastown

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real multi-agent coding tool, but it can run persistent agents, change repositories, and includes risky setup steps that should be reviewed before use.

Install only if you intentionally want a multi-agent coding orchestrator that can start local AI coding sessions, create persistent state, modify repositories, and process merges. Review setup commands first, avoid delegating sudo or shell-profile edits blindly, prefer pinned or verified tool versions, and use it only in repositories where automated workers are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
Findings (14)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README describes invocation in very broad terms: 'Just tell the agent what you need' and gives a generic software task example. That can cause the skill to activate on ordinary coding requests without clear user intent to use this specific multi-agent orchestrator, increasing the chance of unexpected command execution, repository modification, or parallel task dispatch in the user's environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly tells the agent to execute all `gt` and `bd` commands on the user's behalf, but these commands can create workspaces, initialize git repositories, modify bead state, spawn agents, and alter project data. Because the agent is positioned as the primary operator, users may not receive a clear consent checkpoint before state-changing actions occur, increasing the risk of unintended filesystem, repository, or orchestration changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup steps include package installation, git initialization, workspace creation, project addition, and service startup, all of which change local system and repository state. Presenting these as standard workflow steps without prominent warnings or approval requirements can cause an agent to perform destructive or irreversible setup actions automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The full-stack mode describes starting a daemon and automatic lifecycle management for agents, meaning background processes may continue running and act without further prompts. In an agent-executed environment, that autonomy materially increases risk because it can trigger additional work, file changes, or session spawning after the initial command.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The architecture explicitly endorses automatic execution of queued work via the GUPP rule ('If your hook has work, RUN IT') without requiring user confirmation, policy checks, or safety gating. In a multi-agent system that can dispatch work, mutate repositories, and send cross-agent instructions, this creates a strong pathway for unsafe or malicious tasks to propagate and execute automatically after compromise or misrouting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script appends to the user's ~/.bashrc without prompting or clearly warning that it will persistently modify the shell environment. While the added PATH entry is not itself malicious, silent profile modification is risky because it changes future shell behavior and can create persistence or precedence issues if the target directories later contain untrusted executables.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**Gas Town Universal Propulsion Principle:**
> If your hook has work, RUN IT.

No waiting. No asking. Work lands on hook → work runs.

Molecules (work units) survive crashes. Any worker can continue where another left off. The engine never stops as long as there's fuel.
Confidence
95% confidence
Finding
No asking

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
93% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
93% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
$ npm install -g @gastown/gt                              # npm
$ go install github.com/steveyegge/gastown/cmd/gt@latest  # From source

# If using go install, add Go binaries to PATH (add to ~/.zshrc or ~/.bashrc)
export PATH="$PATH:$HOME/go/bin"

# Create workspace with git initialization
Confidence
84% confidence
Finding
add to ~/.zshrc

Session Persistence

Medium
Category
Rogue Agent
Content
# If using go install, add Go binaries to PATH (add to ~/.zshrc or ~/.bashrc)
export PATH="$PATH:$HOME/go/bin"

# Create workspace with git initialization
gt install ~/gt --git
cd ~/gt
Confidence
92% confidence
Finding
Create workspace with git initialization gt install ~/gt --git cd ~/gt # Add your first project gt rig add myproject https://github.com/you/repo.git # Create your crew workspace gt crew add yourname

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
88% confidence
Finding
rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
88% confidence
Finding
rm -rf /usr/local/go && sudo tar -C /usr/

Chaining Abuse

High
Category
Tool Misuse
Content
# Install Go (apt version may be outdated, use official installer)
wget https://go.dev/dl/go1.24.12.linux-amd64.tar.gz
sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.24.12.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin' >> ~/.bashrc
source ~/.bashrc
Confidence
90% confidence
Finding
&& sudo

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
SKILL.md:520