中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:23 hr ago Rescan
20 /100
multi-agent-brand-studio
Sets up a Multi-Agent Brand Studio team on OpenClaw: 5 AI agents (Leader, Creator, Worker, Researcher, Engineer) + on-demand Reviewer, with shared knowledge base, approval workflow, brand isolation, and Telegram integration.
A legitimate multi-agent orchestration skill with clean code and no malicious behavior. Minor documentation gaps exist around script usage and exec permissions for cron isolated sessions, but no credential theft, data exfiltration, or obfuscation is present.
Skill Namemulti-agent-brand-studio
Duration65.2s
Enginepi
Safe to install
Approve for use. No actionable security concerns. Consider documenting exec usage by the cron isolated session in SKILL.md for transparency.

Findings 2 items

Severity Finding Location
Low
SKILL.md does not declare script execution Doc Mismatch
SKILL.md describes the skill's behavior and workflow but does not explicitly mention that three scripts (scaffold.sh, patch-config.js, telegram-topics.js) are executed as part of the setup. These are standard file/script operations documented in the step-by-step onboarding but not in the top-level capability summary.
SKILL.md describes interactive onboarding flow but never enumerates scripts/scaffolding tools in declared capabilities
→ Add a 'Declared Capabilities' section to SKILL.md listing: shell execution (scaffold.sh), Node.js config patching (patch-config.js), Telegram API calls (telegram-topics.js).
 SKILL.md:1
Low
Cron isolated session exec permission not declared in tool fence Doc Mismatch
The Leader's tool fence (patch-config.js AGENT_TOOL_DENY) denies exec, and SOUL.md states 'You do NOT have exec'. However, AGENTS.md §7 (Cron Safety Net) explicitly documents that 'The cron isolated session CAN use exec'. This is a documented exception but conflicts with the surface-level tool denial.
§7: 'The cron isolated session CAN use exec (it has its own permission scope). Leader's normal session cannot.'
→ Add a note in SOUL.md's tool fence section acknowledging the cron isolated session exception, or clarify in patch-config.js that exec is denied per-agent but not per-session.
 assets/workspace/AGENTS.md:1
ResourceDeclaredInferredStatusEvidence
Filesystem NONE WRITE ✓ Aligned scripts/scaffold.sh creates dirs in ~/.openclaw; scripts/patch-config.js writes …
Network NONE WRITE ✓ Aligned scripts/telegram-topics.js makes HTTPS POST to api.telegram.org
Shell NONE WRITE ✓ Aligned scripts/scaffold.sh is a bash script executed as part of setup
Environment NONE READ ✓ Aligned patch-config.js reads $HOME for baseDir; scaffold.sh reads $HOME, $USER, $EUID
Skill Invoke NONE WRITE ✓ Aligned Copies instance-setup, brand-manager, qmd-setup sub-skills into Leader's skills/
Clipboard NONE NONE No clipboard access detected
Browser NONE NONE No browser tool access in any agent config
Database NONE NONE QMD optionally uses SQLite at ~/.openclaw/memory/main.sqlite, only if owner inst…

File Tree

45 files · 168.8 KB · 4894 lines
Markdown 40f · 3671L JavaScript 2f · 765L Shell 1f · 358L JSON 2f · 100L
├─ 📁 assets
│ ├─ 📁 config
│ │ └─ 📋 cron-jobs.json JSON 72L · 3.6 KB
│ ├─ 📁 shared
│ │ ├─ 📁 brands
│ │ │ └─ 📁 _template
│ │ │ ├─ 📝 content-guidelines.md Markdown 29L · 472 B
│ │ │ └─ 📝 profile.md Markdown 74L · 2.1 KB
│ │ ├─ 📁 domain
│ │ │ └─ 📁 _template
│ │ │ └─ 📝 industry.md Markdown 29L · 711 B
│ │ ├─ 📁 errors
│ │ │ └─ 📝 solutions.md Markdown 25L · 596 B
│ │ ├─ 📁 operations
│ │ │ ├─ 📝 approval-workflow.md Markdown 73L · 3.1 KB
│ │ │ ├─ 📝 brief-templates.md Markdown 343L · 8.7 KB
│ │ │ ├─ 📝 channel-map.md Markdown 41L · 1.3 KB
│ │ │ ├─ 📝 communication-signals.md Markdown 81L · 3.8 KB
│ │ │ ├─ 📝 content-guidelines.md Markdown 55L · 1.7 KB
│ │ │ └─ 📝 posting-schedule.md Markdown 31L · 745 B
│ │ ├─ 📝 brand-guide.md Markdown 21L · 732 B
│ │ ├─ 📝 brand-registry.md Markdown 23L · 813 B
│ │ ├─ 📝 compliance-guide.md Markdown 27L · 824 B
│ │ ├─ 📝 system-guide.md Markdown 76L · 2.8 KB
│ │ └─ 📝 team-roster.md Markdown 20L · 794 B
│ ├─ 📁 skills
│ │ ├─ 📁 brand-manager
│ │ │ └─ 📝 SKILL.md Markdown 100L · 3.2 KB
│ │ ├─ 📁 instance-setup
│ │ │ └─ 📝 SKILL.md Markdown 76L · 2.3 KB
│ │ └─ 📁 qmd-setup
│ │ └─ 📝 SKILL.md Markdown 222L · 6.5 KB
│ ├─ 📁 workspace
│ │ ├─ 📝 AGENTS.md Markdown 310L · 15.9 KB
│ │ ├─ 📝 HEARTBEAT.md Markdown 6L · 331 B
│ │ ├─ 📝 IDENTITY.md Markdown 20L · 733 B
│ │ └─ 📝 SOUL.md Markdown 118L · 4.4 KB
│ ├─ 📁 workspace-creator
│ │ ├─ 📝 AGENTS.md Markdown 100L · 3.3 KB
│ │ └─ 📝 SOUL.md Markdown 31L · 1.1 KB
│ ├─ 📁 workspace-engineer
│ │ ├─ 📝 AGENTS.md Markdown 91L · 3.9 KB
│ │ └─ 📝 SOUL.md Markdown 25L · 852 B
│ ├─ 📁 workspace-researcher
│ │ ├─ 📝 AGENTS.md Markdown 116L · 4.3 KB
│ │ └─ 📝 SOUL.md Markdown 24L · 1021 B
│ ├─ 📁 workspace-reviewer
│ │ ├─ 📝 AGENTS.md Markdown 104L · 4.7 KB
│ │ └─ 📝 SOUL.md Markdown 25L · 917 B
│ └─ 📁 workspace-worker
│ ├─ 📝 AGENTS.md Markdown 56L · 1.7 KB
│ └─ 📝 SOUL.md Markdown 30L · 1.0 KB
├─ 📁 references
│ ├─ 📝 agent-roles.md Markdown 76L · 3.2 KB
│ ├─ 📝 approval-workflow.md Markdown 5L · 199 B
│ ├─ 📝 architecture.md Markdown 90L · 3.8 KB
│ ├─ 📋 example-agent-config.json JSON 28L · 943 B
│ ├─ 📝 memory-system.md Markdown 64L · 2.3 KB
│ ├─ 📝 signals-protocol.md Markdown 5L · 211 B
│ └─ 📝 troubleshooting.md Markdown 93L · 3.6 KB
├─ 📁 scripts
│ ├─ 📜 patch-config.js JavaScript 468L · 14.6 KB
│ ├─ 🔧 scaffold.sh Shell 358L · 10.8 KB
│ └─ 📜 telegram-topics.js JavaScript 297L · 9.2 KB
├─ 📝 README.md Markdown 568L · 17.0 KB
└─ 📝 SKILL.md Markdown 368L · 14.4 KB

Dependencies 5 items

PackageVersionSourceKnown VulnsNotes
fs (Node.js stdlib) bundled node No Standard library, no external deps
path (Node.js stdlib) bundled node No Standard library, no external deps
child_process (Node.js stdlib) bundled node No Used only for which qmd — no arbitrary command execution
https (Node.js stdlib) bundled node No Used for Telegram Bot API calls only
@tobilu/qmd * npm/bun (optional) No Optional dependency; only installed if owner explicitly runs qmd-setup

Security Positives

✓ No base64-encoded execution, eval(), or obfuscated payloads anywhere in the codebase
✓ No credential harvesting — scripts read $HOME for path resolution only, not for harvesting secrets
✓ No network exfiltration — telegram-topics.js only calls the Telegram Bot API for topic creation
✓ No sensitive path access (~/.ssh, ~/.aws, .env) — all writes target ~/.openclaw
✓ No curl|bash or wget|sh remote script downloads — scaffold.sh only operates on local files
✓ No supply chain risk — all dependencies are standard library (fs, path, child_process, https in Node.js; bash builtins in shell)
✓ No persistence mechanisms beyond cron jobs, which are owner-configured and documented
✓ patch-config.js uses deep merge safely — existing config is backed up before writing
✓ scaffold.sh uses set -euo pipefail — safe error handling with no silent failures
✓ No hidden HTML comments or steganographic payloads
✓ Telegram bot token is read from config file, not hardcoded or harvested from environment
✓ All agent tool restrictions are explicitly defined in patch-config.js AGENT_TOOL_DENY map
✓ QMD is optional and only installed if owner explicitly runs qmd-setup or uses --force-qmd