Skillv1.0.0

ClawScan security

SZZG007 Multi Agent Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 8:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (multi‑agent orchestrator) matches the text in SKILL.md, but the runtime instructions expect local config files, environment variables, and other skills/scripts that are not declared or included — this mismatch could lead to unexpected access to agent configs or credentials.
Guidance: Before installing or enabling: 1) Ask the publisher to explain what exact files/configs the skill needs and why (agent-matrix.json, task queues, webhook). 2) Verify what is stored in ~/.openclaw/config/agent-matrix.json — it may contain channel tokens or credentials; do not grant access until you confirm contents. 3) Because the manifest declares no env vars but SKILL.md expects many, treat that as a red flag: require the skill author to update the registry metadata to list required env vars and config paths. 4) If you want to test it, run in an isolated/sandbox user account with dummy agent-matrix and webhook values to avoid exposing real tokens. 5) Check the referenced helper skills (szzg007-*) and local scripts — they are not bundled; ask whether they are required and where they come from. 6) Prefer least-privilege: supply only specific, limited webhook endpoints and non-production config during testing, and avoid placing real channel/telegram/feishu tokens in any file the skill may read until you trust the publisher. If the author cannot justify the config/credential needs or provide a source/homepage, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe name/description (multi‑agent orchestrator) aligns with the SKILL.md content, but the registry metadata declares no required env vars or config paths while SKILL.md clearly expects a workspace (~/.openclaw/...), config files (agent-matrix.json, task-rules.json) and references to several other szzg007-* skills. That mismatch (declared requirements: none vs. instructions: expect local config and other skills) is incoherent and worth questioning.
Instruction Scope: concernSKILL.md gives explicit runtime behavior: read/write under ~/.openclaw/workspace/skills/szzg007-multi-agent-orchestrator/, read agent-matrix.json, read/write task queues, and use an ALERT_WEBHOOK_URL/REPORT_CHANNEL. It also references scripts (decompose.py, monitor.py, etc.) and other skills. Those are actionable instructions that would cause the agent to access local config and possibly channel/webhook endpoints — but no such files/scripts are bundled and the registry didn't declare these paths or variables.
Install Mechanism: okThis is instruction-only with no install spec and no bundled code. That lowers the immediate disk/write risk because nothing is downloaded/installed by the skill manifest itself.
Credentials: concernAlthough the registry lists no required env vars, SKILL.md lists configuration environment variables (AGENT_MATRIX_CONFIG, TASK_QUEUE_PATH, ALERT_WEBHOOK_URL, REPORT_CHANNEL, DEFAULT_MODEL, etc.). If followed, the agent would read those values and the referenced agent-matrix.json could contain channel tokens or credentials for other agents/channels (Feishu/Telegram), which are sensitive. Asking for or reading such config is disproportionate for an instruction-only skill unless the user explicitly consents and understands what those config files contain.
Persistence & Privilege: notealways is false and autonomous invocation is allowed (the platform default). The skill's instructions imply persistent state in ~/.openclaw/workspace/tasks/ and config under ~/.openclaw/config/, which could grant ongoing access to task queues and agent matrix if the agent executes those steps. This is not a platform privilege escalation, but it does mean the skill would interact with persistent agent config and other skills' artifacts if run.