Agent Team Builder

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent OpenClaw team-setup guide, but its copyable examples grant broad command, filesystem, session, and shared-memory authority that users should review carefully before installing or using.

Install only if you are intentionally building an advanced OpenClaw multi-agent setup. Before using the generated examples, narrow each agent's tool allowlist, prefer workspace-only filesystem access where possible, avoid storing session keys or secrets in shared files, require explicit approval for exec/restart steps, and use specific mention patterns instead of broad fallbacks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (7)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The example grants the planner and coder powerful capabilities including command execution, process control, browser access, and unrestricted web fetch/search, which exceeds what is necessary for a team-building reference configuration. In a multi-agent setup, these permissions materially increase the blast radius of prompt injection, compromised channels, or agent misrouting, allowing code execution and outbound access from conversational inputs.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: Setting fs.workspaceOnly to false permits agents to access files beyond their intended workspaces, undermining workspace isolation that is central to safe multi-agent design. Because the same example also encourages symlinked shared directories and grants read/write plus exec to some agents, this setting can enable lateral access to sensitive local files if an agent is manipulated or misconfigured.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The document explicitly instructs teams to place other agents' session keys in a shared file accessible across agent workspaces. Session keys are sensitive routing/authentication identifiers; exposing them broadly increases the chance of misuse, impersonation, or unintended cross-agent access if any agent or shared file is compromised.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The trigger text is extremely broad and can cause the skill to activate for generic discussions about AI teams or collaboration, even when the user did not ask for OpenClaw configuration changes. That increases the chance the agent will steer a conversation into generating operational configs and setup steps in contexts where they are irrelevant or potentially unsafe.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill directs the agent to generate full configuration files, setup scripts, symlink commands, validation commands, and gateway restart instructions without an explicit safety checkpoint. In practice, this can lead users to apply disruptive or environment-changing commands blindly, especially when the generated output touches auth tokens, routing, or shared directories.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: Using a generic fallback mention pattern like @openclaw can cause unintended agent activation when users casually reference the platform name rather than intentionally invoking the system. In group settings, accidental triggers can expose context, initiate tool use, or cause cross-agent interactions without clear user intent.

Session Persistence

Medium

Category: Rogue Agent
Content: ### The Design Create a shared directory symlinked into every agent's workspace: ``` ~/.openclaw/team-shared/ ← Single source of truth
Confidence: 91% confidence
Finding: Create a shared directory symlinked into every agent's workspace: ``` ~/.openclaw/team-shared/ ← Single source of truth ├── TEAM-KNOWLEDGE.md ← Durable facts, preferences, qual

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal