Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi Agent
v0.1.2A multi-agent collaboration system coordinating specialized AI roles—planner, executor, reviewer, and coordinator—to analyze, execute, and review complex tas...
⭐ 0· 106·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md align with a multi-agent orchestrator (planner, executor, reviewer, coordinator). However the code imports ../../react-agent (ToolsRegistry, ReActEngine) which are external/local packages not declared in package.json or the SKILL.md dependency instructions—this will cause runtime errors or requires the user to obtain extra packages not documented.
Instruction Scope
Runtime instructions and examples initialize tools registries and a ReAct engine and run example scripts that grant the Executor the ability to list directories, read/write files and run shell commands. The Executor constructs and runs a shell command using the raw task string (exec `echo "Task executed: ${task}"`) without escaping or sanitization — this is a command injection risk if task input can be attacker-controlled. SKILL.md does not clearly warn users that the skill will access local files and may execute shell commands.
Install Mechanism
There is no install spec. SKILL.md suggests running npm install, but package.json contains no dependencies for the referenced react-agent modules (relative requires). The repo includes many source files and tests but lacks declared external dependencies, so npm install as-is may not provide required packages. No remote downloads or obscure URLs are used.
Credentials
The skill declares no required environment variables, secrets, or config paths. That matches the SKILL.md and package.json; there are no suspicious env/credential requests.
Persistence & Privilege
The skill is not forced-always, does not request platform-level persistent privileges, and does not modify other skills' configuration in the provided code. It runs only when invoked.
Scan Findings in Context
[child_process.exec_usage] expected: Executor uses child_process.exec to run a shell command derived from the task string. Executing commands is within an Executor's expected capabilities, but the implementation interpolates unescaped user-provided task text into a shell command (potential command injection).
[relative_require_react_agent] unexpected: Code requires ToolsRegistry and ReActEngine from '../../react-agent/src/...'. Depending on packaging this can be legitimate in a monorepo, but package.json does not declare or document this dependency; the SKILL.md/npm install instructions do not cover obtaining that package.
What to consider before installing
What to consider before installing/running:
- Missing/deferred dependency: The code requires a sibling package (../../react-agent) but package.json doesn't declare it. npm install may not fetch that dependency — verify you have the required react-agent package or update package.json before running.
- Local file & command access: The Executor is designed to call tools that can read/write files and run shell commands. Only run this skill in a safe, non-sensitive environment (e.g., an isolated VM or container) until you audit the tools and ReActEngine it uses.
- Command injection risk: The Executor builds a shell command by interpolating the task string into exec without escaping. If you will pass untrusted or user-supplied tasks, this is dangerous. Consider patching the code to use execFile/spawn with argument arrays or properly escape inputs.
- Audit external code: Inspect the ToolsRegistry and ReActEngine implementations (the referenced react-agent package). Those components will determine what external endpoints or system resources the skill can access.
- Run tests in sandbox: Use the included tests/examples in an isolated environment to confirm behavior before using on real data. Prefer to run with reduced toolsets (no tools that access network or sensitive files) while you evaluate.
- If you need help: Ask the skill author to (1) list required dependencies in package.json, (2) document exactly which built-in tools the Executor will enable, and (3) fix the unsafe exec usage or document input sanitization requirements.
Given these inconsistencies and the unsafe shell usage, treat this skill as suspicious until the above issues are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk9793vmg1ny7hysa9mvy3sa015840g3g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.