Team Dispatch

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed multi-agent orchestrator, but it also makes broad OpenClaw configuration changes, installs recurring background jobs, and includes unrelated onboarding instructions that collect personal/contact details.

Review before installing. Only install if you are comfortable with it changing ~/.openclaw/openclaw.json, adding agent workspaces, granting broad subagent delegation, restarting OpenClaw Gateway, and creating scheduled watcher/daily-summary jobs. Disable or remove the onboarding BOOTSTRAP.md content and replace allowAgents ["*"] with a specific allowlist before using in a sensitive environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (53)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if has_main: # 发送给 main agent send_result = subprocess.run( ["openclaw", "sessions", "send", "--agent", "main", "--message", message], capture_output=True, text=True,
Confidence: 87% confidence
Finding: send_result = subprocess.run( ["openclaw", "sessions", "send", "--agent", "main", "--message", message], capture_output=True,

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: Although presented as an orchestration skill, the document requires automatic installation, symlink creation, config generation, agent directory copying, modification of global OpenClaw configuration, and service restarts. This is dangerous because it expands the skill from task coordination into host reconfiguration, increasing the blast radius if the skill is misused or compromised.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Configuring `main.subagents.allowAgents: ["*"]` grants unrestricted delegation to any available subagent rather than only the specific dispatch roles the skill needs. This violates least privilege and can let a compromised or misdirected dispatcher invoke unintended agents with broader tools or access than expected.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill specifies automatic Gateway restarts after writing configuration, which is a host-level operational action outside the narrow scope of workflow orchestration. Restarting services from a skill can disrupt ongoing sessions, mask unauthorized configuration changes, and create a denial-of-service or persistence-enablement path.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The bootstrap content instructs the agent to perform personal identity construction and contact/onboarding flows that are unrelated to the stated purpose of a team-dispatch orchestration skill. This creates unjustified data collection and behavioral drift, increasing the chance the agent solicits personal details or external contact setup under a misleading skill context.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The file directs collection of user profile details and proposes linking WhatsApp or Telegram accounts despite no demonstrated need for a dispatch/orchestration skill to access those channels. Unnecessary collection of names, timezone, notes, and external messaging setup expands the privacy and social-engineering surface without a legitimate functional justification in this skill.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: This bootstrap file is materially inconsistent with the declared purpose of the skill. Instead of orchestrating multi-agent workflows, it instructs the agent to establish persona, collect user details, persist profile data, and offer external messaging setup, which creates unnecessary capabilities and broadens the attack surface beyond the skill's stated scope.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The instructions to link WhatsApp or Telegram accounts are unrelated to multi-agent dispatch and introduce external account-linking workflows without clear necessity. That can expose users to privacy loss, account misuse, phishing-like interaction patterns, or unintended data transfer to third-party messaging platforms.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: Labeling the document as a simple 'Hello, World' bootstrap while directing identity persistence, user profiling, and deletion of the bootstrap file is misleading. That mismatch can hide impactful behavior from reviewers and users, making risky instructions easier to overlook and reducing auditability after the file is deleted.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This bootstrap file materially expands the skill beyond its declared purpose of multi-agent workflow orchestration into persona creation, persistent identity/user profiling, and external communications onboarding. That scope drift is dangerous because it encourages collection and persistence of unnecessary personal and behavioral data, increasing privacy and abuse risk without a functional need tied to the skill's stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The instructions direct the agent to collect personal profile details and facilitate linking external messaging channels like WhatsApp and Telegram, despite no clear need for those actions in an orchestration skill. This creates unnecessary exposure of personal data and can lead to account-linking, data-sharing, and off-platform contact risks that users may not expect from the skill.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The file defines the shield agent as a dedicated security-audit role, which does not match the manifest description of a team-dispatch skill focused on workflow orchestration, dependency management, retries, and durable tracking. This kind of instruction/manifest mismatch can cause the wrong capability to be invoked, leading to unsafe routing, incorrect trust assumptions, and failure of expected orchestration controls in downstream automation.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file's behavior is materially inconsistent with the declared purpose of a multi-agent orchestration skill. Instead of task decomposition, dependency management, retries, or durable workflow tracking, it instructs the agent to perform persona bootstrapping, collect personal profile data, and set up external messaging, which can mislead operators and cause the skill to be invoked in contexts where unnecessary data collection and unsafe side effects occur.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Prompting for WhatsApp or Telegram linking is unrelated to the stated orchestration function and introduces external account-connection behavior without clear necessity. This expands the attack surface, risks social engineering or unintended exfiltration channels, and can pressure users into linking personal accounts under a misleading skill context.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The bootstrap content is materially misaligned with the declared purpose of a team-dispatch skill. Instead of orchestrating multi-agent workflows, it steers the agent into persona creation, user profiling, persistent memory setup, and channel onboarding, which can cause unauthorized data collection and behavior outside the user's expected scope.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The file encourages linking external messaging services like WhatsApp and Telegram even though the skill is described as an internal dispatch/orchestration tool. This expands the trust boundary to third-party platforms and could lead users to expose accounts, tokens, or communication metadata without a legitimate need tied to the skill's stated function.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file content is materially inconsistent with the declared skill purpose: instead of multi-agent orchestration, it defines a dedicated investment/trading persona with strategy guidance, target prices, stop-losses, and position sizing. This kind of scope mismatch is dangerous because it can cause the wrong capability to be invoked in a sensitive workflow, leading to unauthorized financial advice, policy bypass, or misrouting of user requests under a misleading skill identity.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The bootstrap directs the agent to help users connect via WhatsApp or Telegram and to show a QR code, which expands the skill from internal workflow orchestration into external communications setup. In this context, that creates an unjustified capability increase and can expose users to privacy, account-linking, and social-engineering risks unrelated to the declared dispatch purpose.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file instructs the agent to establish a persona, collect user profile details, and maintain identity-related files, which does not align with a team-dispatch skill whose stated purpose is orchestration, task decomposition, and durable task tracking. This mismatch is dangerous because users and reviewers may not expect profile-building behavior in a dispatch component, increasing the chance of unauthorized data collection and hidden state creation.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The instructions tell the agent to collect the user's name, preferred form of address, timezone, notes, values, boundaries, and preferred contact channel even though those data are not necessary for a dispatch/orchestration function. In a narrowly scoped orchestration skill, this is excessive data collection and increases privacy risk, especially when paired with instructions to persist the information.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: This helper enumerates backup directories and prints the contents and leading lines of local backup files, including `openclaw.json.bak` and `team-dispatch.json.bak`. Backup artifacts often contain sensitive configuration, state, tokens, prompts, or workflow data, and exposing them is not necessary for the stated orchestration purpose of the skill, so it increases the risk of unintended local data disclosure.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The restore script overwrites global OpenClaw configuration files in the user's home directory and then restarts the gateway, which affects the broader host environment rather than only this skill's internal state. In the context of a skill advertised for multi-agent orchestration, this is an overly powerful side effect: if the backup source is wrong, stale, or attacker-controlled, it can reintroduce unsafe configuration and disrupt other OpenClaw behavior.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Restarting the OpenClaw gateway is host-level service control and can interrupt ongoing workflows or apply newly restored configuration immediately without additional review. That capability is broader than necessary for a simple restore helper and increases operational risk, especially if the script is invoked automatically or with an untrusted backup path.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer silently provisions a recurring cron job that is not necessary for core installation and exceeds the stated scope of orchestration/tracking setup. Persistently adding scheduled behavior creates ongoing execution and data-processing capability without explicit, informed user consent, which is risky for an install script.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script modifies the global agent configuration so the main agent has subagents.allowAgents=['*'], granting unrestricted access to all subagents. This broad privilege expansion increases the blast radius of any compromise, misconfiguration, or prompt abuse affecting the main agent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal