Is chloepark85/multi-agent-dev-team safe?
https://github.com/openclaw/skills/tree/main/skills/chloepark85/multi-agent-dev-team
The multi-agent-dev-team skill is a legitimate software development automation tool from UBIK Collective with no detected malicious content, injection attempts, or data exfiltration. Canary credential files were accessed during the monitoring window, but timing analysis and the complete absence of executable skill code conclusively attribute both access events to the audit harness's own baseline comparison protocol rather than the skill. The meaningful residual risk is architectural: the Dev agent SOUL.md grants broad shell execution permissions via an exec tool, and the PM-to-Dev delegation chain could amplify prompt injection attacks originating from malicious user input or compromised project content that the PM agent reads.
Category Scores
Findings (6)
MEDIUM Canary credential files accessed during monitoring window -20 ▶
Six honeypot credential files were opened and read during the audit session. However, timing analysis disqualifies skill attribution: the first access batch occurs at 1771905443, a full 5 seconds before the git clone begins at 1771905448, placing it firmly in audit-harness setup. The second batch at 1771905467 occurs after all scan activity concludes and no executable skill code exists to trigger it. CLOSE_NOWRITE events confirm read-only access. The audit system's own canary integrity check reports all files intact with no exfiltration detected.
LOW Dev agent SOUL.md grants unrestricted shell execution via exec tool -15 ▶
The Dev agent's system prompt explicitly lists exec as a tool for running commands (npm install, git, etc.). This grants the spawned agent arbitrary shell command execution capability on the user's machine within whatever permissions the OpenClaw process runs under. While appropriate for a software development automation use case, this is a high-privilege capability that amplifies the impact of any successful prompt injection attack.
LOW Multi-agent delegation chain creates transitive trust escalation risk -15 ▶
The PM agent spawns the Dev agent via sessions_spawn and passes it an arbitrarily constructed task specification string. If an attacker can inject into the user's request to the PM (e.g., via a malicious project README the PM reads, or a crafted user prompt), the PM may faithfully relay malicious instructions to the Dev agent which will execute them via exec. This two-hop architecture means the user approval surface is at the PM level, but the execution happens at the Dev level.
LOW Minor: install clones entire openclaw/skills monorepo before sparse extraction -10 ▶
The installer performs a full shallow clone of the openclaw/skills monorepo (--depth 1) before sparse-checking out only the relevant subdirectory. This means the client transiently downloads content from all skills in the monorepo during installation, not just the target skill. This is a minor supply-chain surface concern — a compromise of another skill in the same monorepo could affect this install process indirectly.
INFO No prompt injection patterns detected in skill content 0 ▶
All skill files were reviewed exhaustively for adversarial instructions. SKILL.md, README.md, both SOUL.md agent definitions, the project spec template, and the landing page example contain no override instructions, ignore-previous-instructions patterns, persona switching, hidden unicode characters, HTML comment tricks, or requests for permissions beyond the skill's stated purpose.
INFO No executable code or install hooks present 0 ▶
The package.json has no scripts field. There are no gitattributes filters, no gitmodules, no githooks, no symlinks, and no source code files of any type. The skill is purely markdown documentation defining agent behavior through natural language.