ClawHub

agent-team-mesh

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate team agent messaging tool, but it can forward user messages and relies on shared agent tokens with some under-disclosed fallback behavior.

Install only in a trusted internal team environment. Treat every send or broadcast message as content shared with another agent and possibly retained in that agent's session history. Before use, restrict tokens.json permissions, avoid placing secrets in messages, consider disabling or removing the IM fallback unless explicitly needed, and use dry-run/explicit recipient checks before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and relies on shell execution (`bash`, `curl`, `openclaw` CLI, and local scripts) but does not declare permissions. This creates a trust and policy gap: an agent may invoke shell-capable behavior without users or the platform having explicit permission metadata to review or gate it.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
When a target is unreachable, the script can automatically resend the user's message through a separate IM channel, changing both the trust boundary and the data path. That creates an unintended disclosure risk because content meant for direct agent-to-agent delivery may be forwarded to another system without explicit per-send consent or prominent help text warning.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The comments claim token storage is secured with chmod 600, but the script never verifies or enforces restrictive permissions on the token file. On multi-user systems or permissive home-directory setups, this can leave authentication material readable by other local users, weakening the security of the mesh.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are broad enough to match ordinary team-communication requests, which can cause the skill to activate in situations where the user may not realize their prompt will be sent over the network to another agent. In this skill's context, unintended activation is more dangerous because the action forwards user-provided content to peer agents on other containers/pods.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes send and broadcast capabilities but does not prominently warn users that message contents are transmitted to other agents over the network. In a P2P agent-mesh skill, this omission increases the risk of accidental disclosure of sensitive prompts, secrets, or workspace data to remote peers.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase `agent mesh` is overly broad and can be matched during ordinary discussion rather than a deliberate invocation. In a skill that can initiate peer-to-peer messaging and broadcasting to other agents, accidental activation can lead to unintended network actions or message disclosure.

Vague Triggers

Low
Confidence
82% confidence
Finding
`broadcast to the team` is ambiguous because it does not define scope, recipient resolution, or confirmation requirements. In this skill's context, that ambiguity could cause unintended broadcasts to all configured peers, increasing the chance of accidental data leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The IM fallback sends the original message body over another communication channel without making that behavior explicit in the command help for send or broadcast. Users may reasonably assume content stays within the WS mesh, so silent fallback can cause accidental leakage of prompts, secrets, or internal operational details.

Session Persistence

Medium
Category
Rogue Agent
Content
The `emailPrefix` is the key — it must match what `whoami` detects on each
teammate's machine.

### 2. Create tokens file

Each teammate generates their own OpenClaw gateway WS token and shares it.
Collect into:
Confidence
94% confidence
Finding
Create tokens file Each teammate generates their own OpenClaw gateway WS token and shares it. Collect into: ``` ~/.config/agent-team-mesh/tokens.json ``` Format (`references/tokens.example.json`):

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal