Back to skill

Security audit

Multi-Agent Intercom

Security checks across malware telemetry and agentic risk

Overview

This skill transparently enables local agents to message each other, but it gives that channel persistent, automatic influence over other agents without clear sender verification or approval controls.

Install only in a trusted local multi-agent setup where you intentionally want agents to wake and message each other. Before use, limit which agents may send and receive, avoid sensitive data in intercom messages, review the generated SOP before pasting it into `AGENTS.md`, and change it so agents verify sender identity and ask for human approval before taking high-impact actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Use CREATE_NO_WINDOW (0x08000000). 
            # Do NOT use DETACHED_PROCESS (0x00000008) as they conflict and can cause windows to pop up.
            CREATE_NO_WINDOW = getattr(subprocess, 'CREATE_NO_WINDOW', 0x08000000)
            subprocess.Popen(
                [executable] + cmd_list[1:],
                creationflags=CREATE_NO_WINDOW,
                stdout=subprocess.DEVNULL,
Confidence
92% confidence
Finding
subprocess.Popen( [executable] + cmd_list[1:], creationflags=CREATE_NO_WINDOW, stdout=subprocess.DEVNULL, stderr=subprocess.

subprocess module call

Medium
Category
Dangerous Code Execution
Content
close_fds=True
            )
        else:
            subprocess.Popen(
                [executable] + cmd_list[1:],
                preexec_fn=os.setsid,
                stdout=subprocess.DEVNULL,
Confidence
92% confidence
Finding
subprocess.Popen( [executable] + cmd_list[1:], preexec_fn=os.setsid, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code can invoke whatever executable is resolved from PATH for 'openclaw', and on Windows may additionally invoke PowerShell with ExecutionPolicy Bypass. That exceeds a minimal messaging need and creates an execution primitive that could be abused through PATH hijacking, wrapper substitution, or covert command relaying.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes autonomous cross-agent messaging, immediate wake-up behavior, and preservation of context in another agent's main session, but does not clearly warn users that this can alter other agents' state, interrupt active workflows, and trigger unreviewed actions. In a multi-agent environment, unsolicited cross-boundary wake-ups can become a coordination and integrity risk even if the feature is described as 'safe' or 'compliant'.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
Automatically selecting English or Chinese based on OS language without user choice can create unintended behavior, mislocalized instructions, or disclosure of environment characteristics. While not a critical security flaw by itself, implicit locale-driven behavior reduces predictability and can cause agents or users to receive operational instructions in an unexpected language.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions include generic requests such as asking to send a message to another agent, which can cause the skill to activate in ordinary conversations without clear user intent to use this mechanism. In a multi-agent environment, unintended activation increases the chance of unauthorized cross-agent messaging or accidental propagation of this protocol.

Ssd 4

High
Confidence
98% confidence
Finding
The setup workflow tells the human to paste a generated SOP into every agent's `AGENTS.md`, creating persistent instruction-level influence over otherwise isolated agents. This is effectively a social-engineering based trust-boundary bypass: once installed, it can steer how multiple agents receive, prioritize, and respond to messages outside the normal isolation model.

Ssd 4

Medium
Confidence
94% confidence
Finding
The generated SOP instructs agents to trust and immediately process inter-agent messages, to reply off-chat, and to normalize lateral command usage. In context, this is dangerous because it establishes a social/procedural channel for indirect prompt injection and unauthorized delegation between otherwise isolated agents.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.