Back to skill

Security audit

Boss AI Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is transparent about being a management automation tool, but its connected mode can send employee messages, sync business records, and run scheduled jobs with insufficient per-action safeguards.

Install only if you are comfortable giving this skill management-operations authority. Prefer Advisor Mode unless you need automation. Before enabling Team Operations Mode, verify the MCP package and API keys, review cron schedules, disable unwanted automated outreach or sync, confirm every employee message recipient/channel/content, use sync previews and backups, and treat incentive or culture-based guidance as draft advice requiring human and HR review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (22)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This document presents a skill framed as management advice, but the referenced toolset includes message sending, context mutation, sync configuration, and execution of recommendations and consulting actions. That broadens the skill from advisory analysis into operational control, increasing the risk that a user or agent invokes real-world actions without understanding the side effects or approval requirements.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Incentive calculation affects compensation, evaluation, and employee treatment, making it a materially consequential HR function rather than a low-risk advisory feature. Exposing it within a broadly triggered management skill raises the chance of opaque or premature use on incomplete data, potentially causing unfair decisions or downstream employment harm.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Bidirectional Notion/Sheets sync extends the skill into external system integration and data propagation, which is broader than users would expect from a management-advice assistant. Without strong scoping and warning, this can lead to unintended disclosure, overwrites, or persistence of sensitive workforce and operational data into third-party systems.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is intentionally expansive, including implicit triggering for nearly any leadership, team-dynamics, or boss-level decision. Overbroad routing increases the chance the skill is activated in contexts where users did not expect persistence, external connectivity, or automation, which can lead to unintended data handling and side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Advisor Mode first-run flow directs an automatic write to `~/.openclaw/skills/boss-ai-agent/config.json` without an explicit warning or opt-in. Even if the stored fields are limited, silent persistence of user preferences and session history creates privacy and trust risks because the user is not given a choice before data is retained locally.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Team Operations setup goes beyond advice and instructs persistent local writes, cron registration, sync configuration, and message automation, but does not require explicit user acknowledgment of these system changes. This is dangerous because it can establish ongoing autonomous behavior, repeated outbound actions, and background data processing on the host without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The briefing recommends sending a direct message to an employee through a messaging tool based on inferred disengagement, but it does not require verification of the recipient, channel correctness, consent expectations, or privacy boundaries before outreach. In a people-management automation context, this can lead to misdirected messages, inappropriate contact on personal channels, or disclosure of sensitive employment-related observations without adequate safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The action menu offers immediate outbound actions like sending a message, triggering a check-in, or 'chasing' the employee without embedding safeguards about communication impact, recipient verification, or appropriateness of contacting someone who may be in distress. In this skill's context, the dangerous part is not generic messaging alone but automation-ready messaging tied to employee monitoring signals, which can amplify privacy, HR, and employee-relations harm.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The document imposes mandatory communication rules based on the employee's presumed national culture rather than individualized preferences or observed behavior. This can lead managers to stereotype employees, make inaccurate inferences, and justify differential treatment in a people-management workflow where guidance is likely to be acted on directly.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
This line operationalizes broad nationality-based generalizations as interaction rules, which risks discriminatory treatment and biased managerial decisions. In a workplace advisory skill, such instructions can influence evaluations, discipline, and support pathways in ways that are unfair or legally sensitive.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The guidance tells the manager to interpret behavior through a 'high-hierarchy Filipino culture' lens, encouraging inference from ethnicity or nationality instead of direct evidence. That creates a meaningful risk of biased diagnosis, misreading consent or agreement, and normalizing stereotype-based people management.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The content applies a specific national-cultural framework to an individual employee without any user request or evidence that such profiling is appropriate. This can lead managers to make decisions based on stereotypes rather than facts, producing biased treatment, inappropriate assumptions about personal circumstances, and potentially discriminatory workplace behavior. In a management-advice skill, this is more dangerous because users may treat the guidance as authoritative HR/leadership best practice and operationalize it directly in employee conversations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger set is intentionally expansive and uses broad natural-language managerial prompts such as general briefings, risk dashboards, and performance discussions. In a skill that is supposed to activate for management advice, this can still become a security-relevant routing problem because overlapping prompts may cause unintended activation, unnecessary access to management-oriented tooling, or inappropriate collection/use of employee-related context.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The file hard-codes communication rules based on nationality/culture labels and presents them as deterministic defaults for employee handling. In a management-advice skill, this can drive biased or discriminatory treatment, produce inaccurate advice for individuals, and cause harmful workplace decisions without explicit user opt-in, individual validation, or safeguards.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The write-tool section states that tools can send messages over Telegram, Slack, Lark, and Signal, but it does not prominently warn that using them triggers external communications to employees. In a management context, accidental outreach can create reputational, privacy, and workplace-relations consequences immediately in the real world.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
`execute_recommendation` is described as executing suggested actions without a clear warning that those actions may include sending messages or scheduling meetings. That abstraction hides the real-world side effects behind a generic 'execute' verb, making it easier for users or agents to trigger impactful operations without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
`execute_consulting_actions` can create tasks, schedule meetings, send messages, and flag risks, but the documentation does not emphasize that these are real operational changes with external effects. In a consulting workflow, users may perceive the process as analytical, so hidden execution authority significantly increases the chance of unintended organizational actions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "save this" is broad enough to match ordinary conversation and can unintentionally activate Scenario 6, which records conversation-derived information and may update context or queue external sync. In a management skill handling sensitive employee, policy, and strategic data, accidental activation can cause unintended persistence of confidential information and surprise state changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file instructs the skill to update last_session_context in config.json after completing a scenario, creating persistent state changes without a clearly described user consent step. Because this skill stores boss preferences and operational context, silent writes can retain sensitive business and employee information across sessions in ways the user may not expect.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The daily management cycle directs the system to send check-in messages to all active employees automatically, but the scenario text does not require an explicit user-facing notice or approval for outreach. In a workforce-management context, unintended outbound messaging can expose internal operational data, create employee confusion, and trigger real-world actions based on an accidental invocation or stale configuration.

Missing User Warnings

High
Confidence
97% confidence
Finding
The data sync workflow performs bidirectional reads and writes between local systems and external Notion/Sheets, including conflict resolution with last-write-wins, without a strong user warning or approval gate. This is dangerous because it can overwrite authoritative records, propagate tampered or erroneous data across systems, and cause hard-to-detect integrity loss in sensitive management, HR, and operational information.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script renders employee names, missed check-in status, assignees, blocked projects, and project blockers directly into markdown output with no masking, redaction, consent check, or sensitivity warning. In this skill context, the data concerns workforce management and performance signals, so exposing identifiable HR-related risk details can leak sensitive personnel and operational information to unintended viewers or downstream systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.