多 Agent 混合层级隔离架构 1.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The multi-agent workflow is coherent, but it persistently changes agent behavior and gives a media agent broad public-posting/tool authority without strong approval or technical boundaries.
Install only if you are comfortable editing persistent agent SOUL.md files and reviewing the underlying baoyu-* skills. Before use, require explicit confirmation for every public post, avoid broad “all baoyu-*” permissions, back up existing agent files, and set rules for what may be stored in memory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A simple or urgent request could cause powerful tools or public posting to run before the user has reviewed the exact final action.
The media agent is told it may directly execute posting requests and is granted an open-ended baoyu-* tool family, including a tool explicitly named danger, without a clear whitelist or final approval requirement.
用户:@小媒 帮我发个微博 ... 你:好嘞!马上安排~ 📱 ... ✅ `baoyu-danger-gemini-web` ... ✅ 所有其他 `baoyu-*` 技能
Whitelist exact allowed tools, require explicit user confirmation before publishing or account-changing actions, and separately gate or remove dangerous/unknown baoyu-* tools.
If those posting skills are configured with real accounts, the media agent could publish externally with unclear account boundaries.
These tools imply delegated authority over third-party social/media accounts, but the skill does not define which accounts, scopes, approval steps, or rollback controls apply.
✅ `baoyu-post-to-wechat` - 微信公众号发布 ✅ `baoyu-post-to-weibo` - 微博发布 ✅ `baoyu-post-to-x` - X/Twitter 发布
Document the exact accounts and permissions used, require confirmation for every public post, and prefer least-privilege credentials in the underlying posting skills.
Users may overtrust the isolation and assume sensitive tools are technically blocked when they are mainly controlled by agent instructions.
The skill presents the design as permission/physical/logical isolation, but the described controls are soft links plus prompt instructions rather than technical enforcement.
✅ **权限隔离**:核心 Agent 不直接执行敏感操作 ... **物理隔离**:每个 Agent 拥有专属目录,通过软链接共享技能 ... **逻辑隔离**:通过 SOUL.md 文件注入行为约束
Clearly label this as prompt-level policy, not enforced RBAC, and avoid installing or linking sensitive tools into agents that should never use them.
Agent behavior may keep following these role and routing rules after the original setup task is finished.
The setup persistently changes agent persona/behavior files and reloads the gateway. This is purpose-aligned, but it affects future sessions until reverted.
cp templates/writer-soul-template.md ~/Documents/openclaw/agents/writer/SOUL.md ... cp templates/media-soul-template.md ~/Documents/openclaw/agents/media/SOUL.md ... openclaw gateway restart
Back up existing SOUL.md files, review the templates before copying them, and keep a clear rollback procedure.
Task details, preferences, or mistakes could be retained and influence future interactions.
The skill instructs agents to store task results and reusable experience in persistent memory for later use.
每次任务完成后,墨墨负责:1. 记录任务类型和结果到 `memory/YYYY-MM-DD.md` ... 3. 提炼可复用的经验到 `MEMORY.md`
Avoid storing sensitive details, periodically review/delete memory files, and define retention and redaction rules.
Information included in delegated tasks may be exposed to another agent context or stored in its memory.
The workflow passes detailed task context between agents using @mentions. This is central to the skill, but identity and data boundaries are not technically specified.
@小媒 哥哥需要 [具体任务],请帮忙执行:- 任务描述:[详细说明] ... 完成后请告诉我,我来整合给哥哥
Do not pass secrets or sensitive personal data through inter-agent messages, and verify which agent identities are actually receiving @mentions.
The real risk depends heavily on the external baoyu-* skills and their credentials, network behavior, and safety controls.
The architecture depends on separately installed baoyu-* skills that are not included in this artifact set, while this package grants one agent broad authority to use them.
前置要求 ... 已安装 baoyu-* 系列技能(图片生成、新媒体发布等)
Review each baoyu-* skill independently before granting it to the media agent, especially any posting or browser/API escape-hatch skills.