Team Resurrection

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its migration and cloning purpose, but it handles very sensitive agent state and can import persistent scheduled tasks with under-scoped review controls.

Install only if you intend to migrate or clone a full OpenClaw agent environment. Run migrate.py with --dry-run first, inspect the ZIP contents and cron_tasks.json in full, prefer --no-cron until you trust every scheduled payload, and treat generated migration packages as secrets because they may contain memories, API keys, account details, prompts, and workspace configuration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (21)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: def info(msg): print(f"{BLUE}[i]{NC} {msg}") def run_cmd(cmd): result = subprocess.run(cmd, shell=True, capture_output=True, text=True) return result.stdout.strip(), result.returncode # =============================================
Confidence: 98% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill description understates the full behavior: beyond backup/migration, it also modifies agent trust boundaries, creates persistence via cron, copies highly sensitive memory/credential files, can overwrite or repoint the main agent, and restarts the gateway. This mismatch can cause users to consent to operations with greater security and operational impact than they reasonably expect.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The changelog advertises a 'clone/resurrection' capability that materially exceeds the declared packaging/migration purpose in the metadata. That kind of scope mismatch is dangerous because it can conceal persistence, session takeover, or unauthorized state recovery features behind a benign description, reducing user scrutiny and informed consent.

Intent-Code Divergence

Low

Confidence: 80% confidence
Finding: Presenting resurrection/clone behavior as the core feature while the manifest frames the skill as team packaging/migration creates a deceptive trust boundary. Even if not overtly malicious, this discrepancy can cause operators to install or run a skill with capabilities they did not expect, increasing the chance of misuse or unsafe execution.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The cron template defines an unattended agent task that reads local state, updates repository content, and performs commit/push actions on a daily schedule. For a skill whose stated purpose is team migration/packaging, embedding autonomous repository-changing behavior creates a significant integrity risk and can propagate unintended or harmful changes to remotes without fresh user approval.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The file describes itself as a generic cron template, but the actual task is a specific self-improvement workflow that modifies and pushes repository state. This mismatch increases the chance that users or reviewers will consent to installation under false assumptions, enabling stealthy persistence and unintended code or content changes.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The migration script does more than copy team configuration: it imports and activates cron tasks from package contents, allowing persistent scheduled actions to be installed from an untrusted migration bundle. That materially expands the trust boundary and can turn a one-time migration into long-lived code or action execution on the host.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: Restarting the local gateway changes system state beyond simple file migration and can immediately activate newly imported configuration or tasks. In a tool that consumes untrusted package contents, automatic service restart increases the chance that unsafe changes take effect without giving the operator time for independent review.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Creating scheduled jobs from package data is a powerful capability not tightly aligned with a migration tool's stated purpose, and it introduces persistence controlled by the package author. Even with a review prompt, only a truncated payload is shown, so harmful job content may be hidden from the user while still being installed.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script exports cron task definitions and payloads into the migration package, expanding collection beyond the described team/workspace packaging scope. Cron payloads can contain operational logic, prompts, secrets, or sensitive context, so silently bundling them increases data exposure risk during transfer or reuse.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script enumerates common directories under the user's home directory and records detected git work directories in the package, even though this behavior is outside the stated packaging scope. This leaks repository locations and project structure metadata that may reveal confidential client, product, or organizational information.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The generated README claims safeguards such as showing all changes for confirmation and supporting fine-grained controls, but this packer does not implement or verify those protections. Misrepresenting safety controls can cause users to trust and share sensitive migration bundles under false assumptions, increasing the chance of unsafe downstream automation.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document explicitly instructs packaging identity files, memory, user information, tools configuration, agent rosters, skills, and cron/config artifacts, but it does not clearly warn that these may contain sensitive personal data, credentials, IDs, behavioral history, or internal operational details. In a migration skill, this omission is risky because users may create and transfer archives containing highly sensitive material without informed consent, increasing the chance of unintended disclosure or insecure handling.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The migration flow performs privileged and potentially disruptive actions—copying files into agent workspaces, updating configuration, creating cron tasks, and restarting the gateway—yet the documentation does not present a consolidated risk notice describing operational, persistence, and availability consequences. This matters because users may run the migration with incomplete understanding of system-wide effects, leading to accidental service interruption, unintended persistence, or unsafe deployment of imported content.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are broad everyday requests like '我要搬家' or '备份团队', which can activate a skill that performs powerful filesystem, config, cron, and restart actions without sufficiently narrow scope checks. In a high-privilege migration skill, ambiguous triggering increases the risk of accidental invocation and unintended destructive or sensitive operations.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The template sets a broad recurring trigger with an underspecified target context, causing a generic migration skill to install persistent automation whose operational scope is not tightly bounded. Overbroad scheduling increases the risk of repeated unintended actions, especially when the payload includes repository modification and remote synchronization behavior.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script copies core identity and memory files, including files explicitly noted as possibly containing private data or API keys, into a portable archive without an upfront consent checkpoint. In this context, the tool is designed for easy migration, so accidental over-collection and exfiltration of highly sensitive agent data is a realistic risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script writes agent configuration and cron task payloads into package files without clearly warning that these outputs may embed sensitive configuration, prompts, routing data, or tokens. Because the package is intended to be handed to another agent or moved to another machine, undisclosed sensitive exports materially increase exposure risk.

Ssd 3

High

Confidence: 95% confidence
Finding: The README instructs users to hand the produced package to an agent for automatic migration of identity, memory, tools, team, and task data. This encourages automated processing of a highly sensitive bundle by another agent, which can lead to over-trust, unintended execution of bundled content, or disclosure of confidential state across environments.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: **解决：** 换一个后缀，或手动删除旧分身： ```bash rm -rf ~/.qclaw/workspace-xxx-旧后缀 # 然后从 openclaw.json 中删除对应 agent 条目 ```
Confidence: 73% confidence
Finding: rm -rf ~/.qclaw/workspace-xxx-旧后缀 # 然后从 openclaw.json 中删除对应 agent 条目 ``` ### 问题5：搬家后配置丢失 **原因：** v1.0 用 config replace **解决：** v2.0+ 已修复（deep merge）。回滚：`cp -r ~

Tool Parameter Abuse

High

Category: Tool Misuse
Content: **解决：** 换一个后缀，或手动删除旧分身： ```bash rm -rf ~/.qclaw/workspace-xxx-旧后缀 # 然后从 openclaw.json 中删除对应 agent 条目 ```
Confidence: 73% confidence
Finding: rm -rf ~/.qclaw/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal