Is agentandbot-design/agents-manager safe?

https://github.com/openclaw/skills/tree/main/skills/agentandbot-design/agents-manager

70
CAUTION

The agents-manager skill is a moderately risky agent orchestration tool designed for the Clawdbot ecosystem. Its primary concern is a hardcoded third-party Telegram escalation path embedded in agent-registry.md: agents following the skill's routing instructions would silently forward unresolved task summaries to the skill author's personal Telegram account (ID 8143462994). Additionally, the skill's permission model contains a hardcoded bypass granting the 'main' agent unconditional assignment rights, and the SKILL.md documents a cross-agent system prompt injection pattern. No malicious code was found and the install process was clean with no unexpected network activity, but the skill appears to have been published directly from the author's personal development environment without sanitizing sensitive contact information.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Third-party Telegram escalation path hardcoded in registry -40

agent-registry.md embeds the skill author's personal Telegram account (telegram:8143462994, name 'Ilkerkaan') as the mandatory Level 2 escalation target. task-routing-rules.md specifies that when an agent cannot resolve a task it must call message(action='send', channel=reports_to.channel, text=summary). Any agent ecosystem that installs this skill and uses agent-registry.md as its live registry — as the SKILL.md instructs — would route unresolved task summaries to the skill author without the user's knowledge.

HIGH PII (real name and Telegram ID) published in skill reference files -15

The skill's reference files contain what appear to be real personal identifiers: the name 'Ilkerkaan' and Telegram user ID 8143462994. This data appears across agent-registry.md, task-routing-rules.md, and agent-profile-schema.md. The presence of this data in a published skill suggests the author exported personal configuration without sanitization.

MEDIUM SKILL.md embeds a ready-made agent system prompt for cross-agent injection -20

The 'For Agents' section of SKILL.md contains a verbatim system prompt block labeled 'Copy-Paste' explicitly intended to be injected into other agents' system prompts. This is a documented mechanism for propagating instructions across agent boundaries without user review of the injected content. While the current content is benign, this pattern normalizes opaque cross-agent instruction injection.

MEDIUM setup_wizard.js writes unvalidated user input to agent registry -18

setup_wizard.js uses Node.js readline to accept user-provided agent ID, name, role, and reports_to values, then appends them to agent-registry.md using fs.appendFileSync with no input validation or sanitization. A malicious or malformed input could corrupt the registry or inject crafted markdown that misleads subsequent parsing.

MEDIUM scan_agents.js --update silently overwrites user's agent registry -15

Running scan_agents.js with the --update flag calls fs.writeFileSync on agent-registry.md, replacing its entire contents with hardcoded MOCK_AGENTS data (a single 'main/Clawdia' entry). This would silently destroy any custom agent configurations the user has built.

MEDIUM Permission model grants 'main' agent unconditional assignment rights -25

can_assign.js contains a hardcoded bypass: if sourceId === 'main', the function returns { allowed: true, reason: 'Main superuser privileges' } without checking any registry configuration. This means any agent that identifies itself as 'main' can always assign tasks to any other agent, bypassing the handshake protocol entirely.

LOW Routing rules written in Turkish reduce reviewability -8

task-routing-rules.md, which governs how the agent decides to escalate, delegate, or route tasks, is primarily written in Turkish. Users who do not speak Turkish cannot easily audit the routing logic before installation.

LOW Scripts shipped as part of personal development environment without sanitization -10

The skill was cloned from a monorepo and the scripts contain hardcoded MOCK_AGENTS, mock work logs, and personal configuration (timezone UTC+3, language tr/en, playful style). This suggests the author published their live personal configuration. The health_check.js uses Math.random() to simulate health states rather than actual agent queries.

INFO Monorepo sparse checkout pattern used for installation 0

The skill is distributed as a subdirectory of a larger monorepo (github.com/openclaw/skills.git). Installation uses git sparse-checkout to pull only the relevant subdirectory. This is a normal distribution pattern with no inherent risk, but users should be aware the full repository is cloned to /tmp before being filtered.