AI 朝廷 · 多 Agent 协作系统

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but its default templates expose powerful multi-agent bots too broadly unless an admin hardens them first.

Install only after hardening the templates: restrict allowed users, servers, channels, and DMs; remove broad mention triggers; validate all bindings; align sandbox permissions with each role; protect bot tokens and app secrets outside shared configs; back up existing OpenClaw config before copying; and set retention/redaction rules for any archived records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The bindings map Feishu accounts to agent IDs such as zhongshu, menxia, shangshu, yushitai, and shiguan, but those agent IDs are not defined in the agents list. This creates undefined routing behavior: messages may fail open, fail closed unpredictably, or be routed to defaults/errors that expose data or break authorization assumptions. In a multi-agent messaging system, mismatched bindings can become a security boundary failure if external messages are delivered to unintended handlers.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The agent persona explicitly says the role is limited to information retrieval and must not modify files, but the sandbox grants broad agent-level execution capability. That mismatch breaks least privilege and allows prompt injection, tool misuse, or operator error to turn a supposedly read-only agent into one that can execute actions or alter local state.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Most of these agents are defined as advisory, planning, reporting, or coordination roles, yet they are configured with sandbox mode "off", which can grant them unjustified access to execute actions without isolation. In a multi-agent environment exposed to external chat channels, prompt injection or role confusion could cause these agents to perform unsafe local actions or access sensitive resources beyond their business purpose.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Discord is enabled with open DM and group interaction policies across many role agents, creating a broad external attack surface for untrusted user input. Because these agents represent internal business roles and some are unsandboxed, attackers could interact with them directly, trigger unintended workflows, exfiltrate information, or use social-engineering-style prompt injection to influence higher-privilege behavior.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The '庶吉士' agent is explicitly described as read-only ('不产出正文、不修改任何文件'), but its runtime configuration gives it a normal workspace plus sandbox mode 'all', which typically permits writing within that workspace. This creates a policy/permission mismatch: if the agent is prompt-injected, misconfigured, or its role constraints fail, it can modify files despite users and operators expecting it to be non-modifying.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The setup guide instructs users to place bot application credentials directly into a persistent local configuration file but does not warn about secret handling, file permissions, rotation, or avoiding accidental disclosure. In a multi-agent/server deployment context, these credentials can grant control over messaging bots or organizational integrations, so poor handling materially increases the risk of credential leakage and unauthorized access.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The installation steps copy a template directly over ~/.openclaw/openclaw.json, which can silently replace a user's active configuration without backup or merge guidance. In this skill's context, that file likely controls active agents, channels, and credentials, so overwriting it can cause service disruption, misrouting, or accidental loss of prior secure settings.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: Treating broad mass-mention strings like @everyone and @here as trigger patterns can cause group-chat handling to activate on common broadcast phrases rather than explicit bot mentions. An attacker or ordinary user can intentionally include these phrases to trigger unintended agent participation, causing prompt injection opportunities, spam amplification, or unauthorized workflow initiation in public channels. Because this skill is designed for open group Feishu use, the trigger surface is larger and more exposed.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The skill mandates a specific honorific and self-referential communication style ('皇帝/陛下', '臣') without any user opt-in. This can override user preferences, reduce usability, and cause inappropriate or culturally loaded output in contexts where such framing is unwanted, especially because the file presents these as normative rules rather than optional roleplay.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill hard-requires imperial-era Chinese honorifics such as calling the user '皇帝/陛下' and self-identifying as '臣', without offering a neutral or locale-appropriate alternative. This creates a coercive persona and locale lock-in that can degrade usability, exclude users from other linguistic or cultural contexts, and interfere with safe, professional communication norms in multi-user or enterprise settings.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: Top-level DM and group policies are both set to "open", which gives all channel accounts an overly broad activation scope. This makes it easier for arbitrary external users to engage agents in unintended contexts, increasing the chance of abuse, spam, prompt injection, or unauthorized access to sensitive behavior.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: Each Discord account also sets groupPolicy to "open", so even if some higher-level controls existed, the per-account policies remain permissive and underspecified. Uniformly open triggers across executive and business-role bots increase the likelihood that an attacker can reach sensitive personas and induce unintended actions or disclosures.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill explicitly mandates a specific roleplay-based form of address ('皇帝/陛下', '臣') without requiring user opt-in. This can override user preference, create unwanted coercive or culturally loaded framing, and degrade safe, neutral interaction norms even though it is not directly a code-execution or data-exfiltration issue.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation explicitly tells users to place a Feishu App ID and App Secret into a local JSON config file, but provides no guidance on file permissions, secret storage, encryption, redaction, or avoiding committing the file to source control. This can lead to credential disclosure through shared machines, backups, logs, screenshots, or accidental repository commits, enabling unauthorized use of the bot integration.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The instruction that all workflow traffic must be publicly visible in-channel can cause user prompts, task details, code, credentials, business data, or incident information to be reposted into shared chat spaces. In a multi-user collaboration platform, this creates a clear confidentiality risk because sensitive data may be unnecessarily disclosed to channel members or retained in platform history.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The daily recordkeeping directive instructs the agent to capture all important events, outputs, discussions, and anomalies, which can result in persistent storage of sensitive user content, operational details, or security-relevant data. Centralized archival increases exposure because information that was transient in chat becomes durable, searchable, and potentially accessible beyond the original audience.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The configuration instructs an agent to comprehensively record and archive important tasks, outputs, discussions, and anomalies, which creates a centralized natural-language log of potentially sensitive operational and user data. In a multi-agent, multi-channel environment with open group policies, this increases the chance of over-collection, retention of secrets, and broader exposure of information that should remain need-to-know.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The logging agent is explicitly instructed to record all important tasks, discussions, outputs, decisions, anomalies, and monthly statistics, then archive them in a workspace. In an open Discord/group environment, this creates a systematic data retention and disclosure channel that can capture sensitive user prompts, operational details, secrets, and internal deliberations far beyond what is minimally necessary.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal