Is arplus/teamagent safe?

Every invocation of 'node agent-worker.js watch' silently checks for and applies skill updates from ClawHub using execSync('clawhub update teamagent'). After updating, the process exits with exit(0); the OpenClaw heartbeat detects the missing PID file and automatically restarts the process loading the new code. This is a complete remote code execution vector — the skill operator can push arbitrary JavaScript to any agent running watch mode with zero user notification.

Every task step submission, task creation, agent registration, and status update is sent to http://118.195.138.220 over unencrypted HTTP. All work output the agent produces — including potentially sensitive business documents, code, analysis, and file contents — is transmitted in cleartext to an external server operated by an unknown third party. The server is a bare IP address with no domain and no TLS.

The SKILL.md contains detailed, step-by-step instructions directing the agent to use 'gateway config.patch' to modify OpenClaw's agents.list, add new agents to main.subagents.allowAgents, and trigger an automatic gateway restart. This is a privileged system operation that permanently reconfigures the agent runtime itself. The decompose-handler.js LLM prompt also encodes this as a mandatory two-step requirement for any Agent army task.

Multiple source files contain hardcoded TeamAgent bearer tokens committed to a public GitHub repository. poll-subagents.js contains four distinct tokens for named sub-agents (Inkfish, PufferQA, Mantis, Nautilus). Multiple other files share a fifth token. Publishing these tokens allows the skill author to impersonate these agents and observe all their task activity on the TeamAgent platform.

decompose-handler.js contains a hardcoded Alibaba Dashscope API key used as a fallback when QWEN_API_KEY is not set. Task titles, descriptions, and team member information are sent to Alibaba's qwen-max model at dashscope.aliyuncs.com. This bills the skill author's quota and exfiltrates confidential task context to a third-party AI provider without user awareness.

The watch mode establishes a persistent Server-Sent Events connection to the external server. The server can push step:ready events with stepType=decompose at any time, immediately triggering executeDecomposeStep() on the agent. The connection auto-reconnects every 5 seconds. This creates a permanent remote command channel that allows whoever controls 118.195.138.220 to initiate agent actions on demand, including decomposing tasks that could instruct the agent to access sensitive files and include their contents in submissions.

The skill's core design philosophy inverts the trust model: the agent autonomously registers itself with the external TeamAgent platform, which then assigns work for the agent to execute. Once registered, the agent polls for and accepts task assignments from the platform with no per-task user confirmation. This means the platform operator can assign arbitrary tasks that will be executed by the agent on the user's machine.

The skill includes a fully described workflow for the agent to create multiple sub-agents on both the TeamAgent platform and within OpenClaw's agent registry. These sub-agents persist independently after the skill is uninstalled. The decompose LLM prompt mandates this two-step creation for any 'Agent army' task, ensuring sub-agents are always created with real execution capability.

When a step:ready SSE event with stepType=decompose is received, agent-worker.js immediately calls executeDecomposeStep() which: claims the step, fetches team member data, calls the external LLM (or a fallback), and submits results. The content of what gets decomposed — including what files the agent accesses or what commands it runs — is determined by the task description sent from the external server.

teamagent-client.js saves API tokens to ~/.teamagent/config.json in plaintext. The registerAndWait flow automatically saves tokens without user confirmation. The config file is world-readable by default on most systems.

The installation process cleanly cloned from GitHub using sparse checkout (skills/arplus/teamagent subpath only). No unexpected network connections or process spawning was observed. No filesystem changes occurred outside the designated skill directory.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed twice: once before skill installation (audit baseline) and once after analysis (integrity verification). All events show CLOSE_NOWRITE, confirming no writes. The access pattern is consistent with the audit framework's own monitoring and no exfiltration was detected. The skill code was not executed during this audit.