Back to skill

Security audit

Agent Brainstorm Chair

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real multi-agent brainstorming helper, but it asks for local OpenClaw probing and bridge privileges that are broader than a casual meeting trigger suggests.

Install only if you intend to use OpenClaw multi-agent orchestration. Prefer an explicit trigger phrase, review the bridge scripts before use, avoid command-line tokens or passwords, and consider limiting ACP capabilities to read-only if you only need consultation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to run shell commands like `which openclaw` and `ls ~/.openclaw/agents/`, and later to invoke Python scripts, yet it declares no permissions. This creates hidden execution capability and local environment/file access that a user or platform may not expect, undermining consent and increasing the chance of unintended local data exposure or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The described purpose is a brainstorming/facilitation skill, but the referenced behavior extends into subprocess execution, JSON-RPC communication with external agent infrastructure, transcript/session file access, and cross-process locking. That mismatch is risky because users may invoke a seemingly harmless meeting skill without realizing it can inspect local OpenClaw state and interact with other agents and files behind the scenes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The bridge advertises writeTextFile and terminal capabilities during ACP initialization even though the surrounding skill frames this interaction as an internal read-only consultation. In agent ecosystems, declared capabilities shape what downstream components may attempt, so overbroad capability advertisement can enable unintended file modification or command execution if the remote side honors or exploits those capabilities.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger guidance uses very broad everyday phrases such as '开会' and '头脑风暴' to load the skill automatically. That creates unintended activation risk: normal user requests can silently switch the agent into this skill's behavior, causing prompt hijacking of task flow, unexpected tool use, or delegation logic without explicit user consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The OpenClaw invocation example says to use the methodology 'when the user says 开会', again relying on an unsafely generic trigger. In this context the danger is slightly higher because activation can lead to scripted multi-agent orchestration and external command execution paths, increasing the chance of unintended subprocess or agent calls from casual language.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger condition is very broad: everyday phrases like '开会/头脑风暴/主持议事' can activate the skill in ordinary conversation. Because activation leads into environment detection and possible shell/filesystem inspection, accidental invocation can cause unexpected local probing or external agent orchestration without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script accepts --token and --password on the command line and forwards them to a subprocess, which can expose secrets through process listings, shell history, job control tools, crash reports, or audit logs. In an agent skill context, this is more dangerous because orchestration layers often log invoked commands and arguments, increasing the chance of credential disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
scripts/openclaw_meeting_round.py:24

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
tests/test_build_baton.py:11