Claw Multi Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a real multi-agent orchestration tool, but it gives spawned agents broad tool access and can persist or forward reports without enough explicit user control.

Review before installing. Use it only when you intentionally want multi-agent execution, avoid sensitive prompts unless you trust all configured model providers and OpenClaw subprocesses, and ask for a dry run or explicit plan before spawning agents, writing files, running code, or sending Feishu documents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill unconditionally instructs the agent to write reports to disk and then send them outward via chat attachment or Feishu doc/link based on channel, without requiring explicit user confirmation for persistence or exfiltration. In an agent environment, this creates a data-handling risk because sensitive task content may be saved and transmitted beyond the immediate chat context by default.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module claims it introduces no new attack surface, but it launches an external CLI subprocess and forwards the full parent environment with `env = {**os.environ}`. That expands trust boundaries: secrets in environment variables and ambient execution context become available to spawned agents, which can increase exposure if a sub-agent is compromised or behaves unexpectedly.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The documentation asserts that permission boundaries and path validation are handled elsewhere, but this engine itself does not enforce those guarantees before sending tasks to sub-agents. Because task text can instruct file access or other actions through the downstream CLI agent, relying entirely on an external orchestrator creates a trust gap and can enable unsafe behavior if upstream validation is missing or bypassed.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README advertises very broad natural-language triggers such as '多智能体做 xxx' and '全面分析一下 xxx 的优缺点', which can match ordinary user requests without clearly signaling that a high-impact multi-agent workflow will be invoked. In a skill that can fan out work across multiple agents, this ambiguity can cause unintended activation, unnecessary external calls, and expanded access to tools beyond what the user reasonably expected.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The auto-routing section uses generic trigger words like '分析、翻译、写作' and '搜索、调研、最新', which are common in everyday prompts and do not place clear bounds on when the skill should switch modes. Because the skill may choose modes that enable networked sub-agents or multiple parallel agents, underspecified routing increases the risk of unanticipated behavior, cost, and exposure of user data to more tools or model contexts.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The README explicitly states that child agents have full tools including network access, file read/write, and code execution, yet it provides no warning about privacy, local system effects, or the possibility of modifying files and running untrusted operations. In a multi-agent orchestration skill, this is especially dangerous because the blast radius scales with the number of spawned agents, making accidental data exposure, filesystem changes, or unsafe execution more likely.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes very broad, common phrases such as research, analysis, compare models, and multilingual equivalents, making accidental activation likely during ordinary conversation. Over-triggering matters here because activation leads to multi-agent spawning, file writes, and possible outbound delivery behaviors, increasing the chance of unintended side effects.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill directs the agent to always save a markdown report to a workspace path before delivery, without warning the user or checking whether persistence is appropriate. Default file creation can leak sensitive prompts, create unintended retention, and violate least-surprise expectations, especially when combined with automatic reporting workflows.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly fans out the same user prompt to multiple external models, but the description does not disclose that user input will be shared with several third-party providers. This creates a real transparency and data-handling risk because users may submit sensitive content without realizing it will be replicated across multiple services, increasing exposure and compliance concerns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal