multi-agent-brand-studio 安全扫描报告 — 低风险 | ClawSafe

20 /100

multi-agent-brand-studio

Sets up a Multi-Agent Brand Studio team on OpenClaw: 5 AI agents (Leader, Creator, Worker, Researcher, Engineer) + on-demand Reviewer, with shared knowledge base, approval workflow, brand isolation, and Telegram integration.

A legitimate multi-agent orchestration skill with clean code and no malicious behavior. Minor documentation gaps exist around script usage and exec permissions for cron isolated sessions, but no credential theft, data exfiltration, or obfuscation is present.

技能名称multi-agent-brand-studio

分析耗时65.2s

引擎pi

✓

可以安装

Approve for use. No actionable security concerns. Consider documenting exec usage by the cron isolated session in SKILL.md for transparency.

安全发现 2 项

严重性	安全发现	位置
低危	SKILL.md does not declare script execution 文档欺骗 SKILL.md describes the skill's behavior and workflow but does not explicitly mention that three scripts (scaffold.sh, patch-config.js, telegram-topics.js) are executed as part of the setup. These are standard file/script operations documented in the step-by-step onboarding but not in the top-level capability summary. `SKILL.md describes interactive onboarding flow but never enumerates scripts/scaffolding tools in declared capabilities` → Add a 'Declared Capabilities' section to SKILL.md listing: shell execution (scaffold.sh), Node.js config patching (patch-config.js), Telegram API calls (telegram-topics.js).	`SKILL.md:1`
低危	Cron isolated session exec permission not declared in tool fence 文档欺骗 The Leader's tool fence (patch-config.js AGENT_TOOL_DENY) denies exec, and SOUL.md states 'You do NOT have exec'. However, AGENTS.md §7 (Cron Safety Net) explicitly documents that 'The cron isolated session CAN use exec'. This is a documented exception but conflicts with the surface-level tool denial. `§7: 'The cron isolated session CAN use exec (it has its own permission scope). Leader's normal session cannot.'` → Add a note in SOUL.md's tool fence section acknowledging the cron isolated session exception, or clarify in patch-config.js that exec is denied per-agent but not per-session.	`assets/workspace/AGENTS.md:1`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`WRITE`	✓ 一致	scripts/scaffold.sh creates dirs in ~/.openclaw; scripts/patch-config.js writes …
网络访问	`NONE`	`WRITE`	✓ 一致	scripts/telegram-topics.js makes HTTPS POST to api.telegram.org
命令执行	`NONE`	`WRITE`	✓ 一致	scripts/scaffold.sh is a bash script executed as part of setup
环境变量	`NONE`	`READ`	✓ 一致	patch-config.js reads $HOME for baseDir; scaffold.sh reads $HOME, $USER, $EUID
技能调用	`NONE`	`WRITE`	✓ 一致	Copies instance-setup, brand-manager, qmd-setup sub-skills into Leader's skills/
剪贴板	`NONE`	`NONE`	—	No clipboard access detected
浏览器	`NONE`	`NONE`	—	No browser tool access in any agent config
数据库	`NONE`	`NONE`	—	QMD optionally uses SQLite at ~/.openclaw/memory/main.sqlite, only if owner inst…

目录结构

45 文件 · 168.8 KB · 4894 行

Markdown 40f · 3671L JavaScript 2f · 765L Shell 1f · 358L JSON 2f · 100L

├─ ▾ 📁 assets

│ ├─ ▾ 📁 config

│ │ └─ 📋 cron-jobs.json JSON 72L · 3.6 KB

│ ├─ ▾ 📁 shared

│ │ ├─ ▾ 📁 brands

│ │ │ └─ ▾ 📁 _template

│ │ │ ├─ 📝 content-guidelines.md Markdown 29L · 472 B

│ │ │ └─ 📝 profile.md Markdown 74L · 2.1 KB

│ │ ├─ ▾ 📁 domain

│ │ │ └─ ▾ 📁 _template

│ │ │ └─ 📝 industry.md Markdown 29L · 711 B

│ │ ├─ ▾ 📁 errors

│ │ │ └─ 📝 solutions.md Markdown 25L · 596 B

│ │ ├─ ▾ 📁 operations

│ │ │ ├─ 📝 approval-workflow.md Markdown 73L · 3.1 KB

│ │ │ ├─ 📝 brief-templates.md Markdown 343L · 8.7 KB

│ │ │ ├─ 📝 channel-map.md Markdown 41L · 1.3 KB

│ │ │ ├─ 📝 communication-signals.md Markdown 81L · 3.8 KB

│ │ │ ├─ 📝 content-guidelines.md Markdown 55L · 1.7 KB

│ │ │ └─ 📝 posting-schedule.md Markdown 31L · 745 B

│ │ ├─ 📝 brand-guide.md Markdown 21L · 732 B

│ │ ├─ 📝 brand-registry.md Markdown 23L · 813 B

│ │ ├─ 📝 compliance-guide.md Markdown 27L · 824 B

│ │ ├─ 📝 system-guide.md Markdown 76L · 2.8 KB

│ │ └─ 📝 team-roster.md Markdown 20L · 794 B

│ ├─ ▾ 📁 skills

│ │ ├─ ▾ 📁 brand-manager

│ │ │ └─ 📝 SKILL.md Markdown 100L · 3.2 KB

│ │ ├─ ▾ 📁 instance-setup

│ │ │ └─ 📝 SKILL.md Markdown 76L · 2.3 KB

│ │ └─ ▾ 📁 qmd-setup

│ │ └─ 📝 SKILL.md Markdown 222L · 6.5 KB

│ ├─ ▾ 📁 workspace

│ │ ├─ 📝 AGENTS.md Markdown 310L · 15.9 KB

│ │ ├─ 📝 HEARTBEAT.md Markdown 6L · 331 B

│ │ ├─ 📝 IDENTITY.md Markdown 20L · 733 B

│ │ └─ 📝 SOUL.md Markdown 118L · 4.4 KB

│ ├─ ▾ 📁 workspace-creator

│ │ ├─ 📝 AGENTS.md Markdown 100L · 3.3 KB

│ │ └─ 📝 SOUL.md Markdown 31L · 1.1 KB

│ ├─ ▾ 📁 workspace-engineer

│ │ ├─ 📝 AGENTS.md Markdown 91L · 3.9 KB

│ │ └─ 📝 SOUL.md Markdown 25L · 852 B

│ ├─ ▾ 📁 workspace-researcher

│ │ ├─ 📝 AGENTS.md Markdown 116L · 4.3 KB

│ │ └─ 📝 SOUL.md Markdown 24L · 1021 B

│ ├─ ▾ 📁 workspace-reviewer

│ │ ├─ 📝 AGENTS.md Markdown 104L · 4.7 KB

│ │ └─ 📝 SOUL.md Markdown 25L · 917 B

│ └─ ▾ 📁 workspace-worker

│ ├─ 📝 AGENTS.md Markdown 56L · 1.7 KB

│ └─ 📝 SOUL.md Markdown 30L · 1.0 KB

├─ ▾ 📁 references

│ ├─ 📝 agent-roles.md Markdown 76L · 3.2 KB

│ ├─ 📝 approval-workflow.md Markdown 5L · 199 B

│ ├─ 📝 architecture.md Markdown 90L · 3.8 KB

│ ├─ 📋 example-agent-config.json JSON 28L · 943 B

│ ├─ 📝 memory-system.md Markdown 64L · 2.3 KB

│ ├─ 📝 signals-protocol.md Markdown 5L · 211 B

│ └─ 📝 troubleshooting.md Markdown 93L · 3.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 patch-config.js JavaScript 468L · 14.6 KB

│ ├─ 🔧 scaffold.sh Shell 358L · 10.8 KB

│ └─ 📜 telegram-topics.js JavaScript 297L · 9.2 KB

├─ 📝 README.md Markdown 568L · 17.0 KB

└─ 📝 SKILL.md Markdown 368L · 14.4 KB

依赖分析 5 项

包名	版本	来源	已知漏洞	备注
`fs (Node.js stdlib)`	`bundled`	node	否	Standard library, no external deps
`path (Node.js stdlib)`	`bundled`	node	否	Standard library, no external deps
`child_process (Node.js stdlib)`	`bundled`	node	否	Used only for which qmd — no arbitrary command execution
`https (Node.js stdlib)`	`bundled`	node	否	Used for Telegram Bot API calls only
`@tobilu/qmd`	`*`	npm/bun (optional)	否	Optional dependency; only installed if owner explicitly runs qmd-setup

安全亮点

✓ No base64-encoded execution, eval(), or obfuscated payloads anywhere in the codebase

✓ No credential harvesting — scripts read $HOME for path resolution only, not for harvesting secrets

✓ No network exfiltration — telegram-topics.js only calls the Telegram Bot API for topic creation

✓ No sensitive path access (~/.ssh, ~/.aws, .env) — all writes target ~/.openclaw

✓ No curl|bash or wget|sh remote script downloads — scaffold.sh only operates on local files

✓ No supply chain risk — all dependencies are standard library (fs, path, child_process, https in Node.js; bash builtins in shell)

✓ No persistence mechanisms beyond cron jobs, which are owner-configured and documented

✓ patch-config.js uses deep merge safely — existing config is backed up before writing

✓ scaffold.sh uses set -euo pipefail — safe error handling with no silent failures

✓ No hidden HTML comments or steganographic payloads

✓ Telegram bot token is read from config file, not hardcoded or harvested from environment

✓ All agent tool restrictions are explicitly defined in patch-config.js AGENT_TOOL_DENY map

✓ QMD is optional and only installed if owner explicitly runs qmd-setup or uses --force-qmd