ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Office

v1.5.0

Agent Office:创建本地 AI 员工、office worker、AI employee 与 multi-agent office team。每个员工以独立 HTTP Worker 运行,支持 openclaw / hermes / deerflow / cli / external / stub 六种...

0· 86·0 current·0 all-time
by@jast-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and scripts implement a local multi-agent office manager as described (create workers, assign ports, start worker_server, support openclaw/hermes/deerflow/cli/external/stub). However registry metadata lists no required binaries or env vars while SKILL.md and README explicitly require/expect tools (git, uv, lsof, openclaw, hermes, local CLIs). This metadata mismatch is inconsistent and worth noting.
!
Instruction Scope
Runtime instructions and code read/write user home paths (~/.hermes/office, ~/.openclaw/agents), start/stop processes, register/unregister openclaw agents, and may forward shared memory to external upstream agents. The 'external' engine forwards tasks (and injected shared memory) to upstream URLs, and the code can run arbitrary local CLI commands for 'cli' workers. Those behaviors are consistent with purpose but broaden the data surface (can leak local context to upstream workers and execute arbitrary local commands).
!
Install Mechanism
No install spec is provided, but at runtime the DeerFlow helper will git-clone a runtime repo (DEERFLOW_REPO_URL, default https://github.com/bytedance/deer-flow.git) and run 'uv sync' to prepare dependencies. Cloning and executing code from a remote repo (and the ability to override the repo via env var) is a non-trivial risk vector if the repo or env is changed to an untrusted source.
!
Credentials
Registry metadata declares no required env vars, yet the skill uses multiple env vars (HERMES_OFFICE_DIR, MEMORY_CLI, AGENT_OFFICE_DEERFLOW_REPO_URL, AGENT_OFFICE_DEERFLOW_UPDATE_ON_ADD, AGENT_OFFICE_DEERFLOW_EXTRA_MOUNTS, model/timeouts). In particular AGENT_OFFICE_DEERFLOW_EXTRA_MOUNTS allows mounting arbitrary host paths into the embedded DeerFlow sandbox, which can expose host files to the runtime; AGENT_OFFICE_DEERFLOW_REPO_URL allows pointing to arbitrary git repos. These are powerful and should be treated as sensitive configuration.
Persistence & Privilege
always is false and autonomous invocation is allowed (default). The skill writes and removes files under the user's home (~/.hermes/office), registers/unregisters agents, and kills processes by port using lsof — all expected for a local manager. There is no indication it modifies other skills' configs or system-wide settings beyond its own directories.
What to consider before installing
This skill implements a local multi-agent 'office' and mostly matches its description, but pay attention to these points before installing or running: - Metadata vs reality: the registry lists no required binaries/env vars, but the README/SKILL.md and code expect tools like git, uv, lsof, openclaw, hermes and several environment variables. Assume you must provide those to function. - Remote code download: DeerFlow runtime is cloned from a git repo at runtime and dependencies are synced (uv). If you override AGENT_OFFICE_DEERFLOW_REPO_URL, an attacker-controlled repo could be executed. Only use trusted repo URLs. - Host path exposure: AGENT_OFFICE_DEERFLOW_EXTRA_MOUNTS can mount arbitrary host paths into the embedded runtime. Do not set this to sensitive directories (e.g., ~/.ssh, /etc, or repos with secrets) unless you understand the risks. - Data leakage to external workers: the 'external' engine forwards tasks and shared memory to upstream HTTP workers; that can leak local context or secrets to whatever service is listening on the upstream URL. Treat upstream endpoints as trusted before bridging them in. - Arbitrary local command execution: 'cli' workers invoke local CLI executables (codex, claude, gemini, custom cli-cmd). This lets the skill run local programs — ensure those programs are trusted and that CLI args are controlled. - Process control and file deletion: remove_worker stops processes by port and deletes worker and DeerFlow home directories — be cautious when removing workers to avoid accidental deletion of important data. Recommended actions: - Inspect worker_server.py and the parts of the code that handle incoming tasks and outgoing network calls (not fully included here) before deploying. - Run in an isolated account or container if you will mount directories or point to untrusted upstreams/repos. - Do not set AGENT_OFFICE_DEERFLOW_EXTRA_MOUNTS or AGENT_OFFICE_DEERFLOW_REPO_URL to untrusted values; prefer the default trusted repo or a vetted internal fork. - Ensure required binaries (git, uv, lsof, openclaw/hermes/local CLIs) are installed from trusted sources. If you want, I can: (1) scan worker_server.py for endpoints and network behavior, (2) list every environment variable used across files, or (3) point to exact lines that implement git clone, mounts, and process-kill behavior.

Like a lobster shell, security has layers — review code before you run it.

ai-employeevk9716qha7bym88he71sqb39czd84sfmxautomationvk9716qha7bym88he71sqb39czd84sfmxlatestvk9761vyk57y3det8d5x22zraqh84ym64multi-agentvk9716qha7bym88he71sqb39czd84sfmxofficevk9716qha7bym88he71sqb39czd84sfmxworkervk9716qha7bym88he71sqb39czd84sfmx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments