Claw Multi Agent
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: claw-multi-agent Version: 1.0.5 The skill is suspicious due to significant prompt injection vulnerabilities and broad capabilities granted to sub-agents. It leverages OpenClaw's `sessions_spawn` to create sub-agents with 'full OpenClaw tools' including file read/write and code execution, as stated in SKILL.md. Multiple prompt injection vectors exist, such as constructing sub-agent prompts from user input (via `run.py`), chaining agent outputs into subsequent prompts (`run.py`), and placeholders in templates like `{file_path}` and `{prompt}` (e.g., `templates/code_review.json`). Sub-agents also inherit all environment variables (`multiagent_engine.py`), posing a potential exfiltration risk if maliciously prompted. While there's no evidence of intentional malicious code, these capabilities and injection surfaces present a high risk for exploitation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A multi-agent run could have several child agents searching the web, reading or writing files, or executing code at the same time under your OpenClaw permissions.
The skill explicitly gives spawned child agents network, file, and code-execution capability. This is purpose-aligned, but broad parallel tool authority is high-impact and the artifacts do not clearly bound per-agent tool scope or approval.
子 Agent 有完整工具:联网搜索、读写文件、执行代码
Use it only for trusted, well-scoped tasks; require explicit confirmation for write, execute, delete, deploy, or account-changing actions and constrain allowed paths/tools where possible.
Child agents may access the same project files, tools, and configured model/session permissions as the main agent.
The code comments state that child agents inherit the main agent's permission boundary, so delegation uses the user's existing OpenClaw authority.
Sub-agents run within the same OpenClaw session context and inherit the same permission boundaries as the main agent.
Run this skill in a least-privilege workspace and avoid using it in projects containing secrets or sensitive files unless the task truly requires that access.
A misleading prior result or prompt-injection text collected during research could affect later analysis or the final report.
Sequential pipeline phases directly inject earlier agent outputs into later prompts. That is expected for orchestration, but untrusted or web-derived content in earlier outputs could influence downstream agents.
task_text = f"【前序任务输出】\n{dep_output}\n\n【当前任务】\n{task_text}"Treat sub-agent and web outputs as data, not instructions; review intermediate results for sensitive tasks and add explicit ignore-instructions/quote-as-evidence constraints when chaining phases.
Generated report content may be saved or shared through Feishu or another chat channel according to the current channel context.
The skill documents cross-skill/provider delivery of generated reports into Feishu when available. This is disclosed, but report visibility and workspace permissions are not described in the artifacts.
Feishu + has `feishu-all-operations` skill | Create Feishu doc → send link (best UX)
Before using it with confidential content, confirm where reports will be posted, who can access created documents, and whether attachment/doc delivery is appropriate.
Installing from a moving remote repository can expose you to future repository changes that were not part of this review.
The README uses a user-directed remote GitHub install command without pinning a commit or release. This is common for skills, but users should verify provenance.
npx --yes skills add https://github.com/zcyynl/claw-multi-agent
Install from a trusted source, prefer pinned releases or commits, and re-review code after updates.