multi-agent-architecture
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill configures the 'News Agent' and 'Code Agent' with the
exectool. The 'News Agent' is explicitly designed to useweb_fetchto retrieve content from external websites. This combination allows for RCE if a fetched website contains malicious instructions that the agent then executes via its shell access. - Indirect Prompt Injection (HIGH): This skill presents a significant vulnerability surface for indirect injection. \n
- Ingestion points: Untrusted data enters the system through the 'News Agent' (web crawling) and the 'Research Agent' (document analysis). \n
- Boundary markers: No delimiters or instructions are present to prevent the agent from following commands embedded within the external data. \n
- Capability inventory: Agents possess highly privileged tools including
exec,write,read, andmessage. \n - Sanitization: There is no evidence of filtering or sanitizing the external content before it is processed by the AI.
- Command Execution (HIGH): The 'Code Agent' is granted broad permissions (
read,write,edit,exec) for development tasks. If the agent is used to review or 'fix' a malicious codebase, it could be triggered to execute harmful commands or modify system files. - Data Exfiltration (HIGH): The architecture allows agents to read local configuration files (e.g., in
~/.openclaw/) via thereadtool and communicate externally via themessageorweb_fetchtools, creating a risk for the exposure of sensitive system data or credentials.
Recommendations
- AI detected serious security threats
Audit Metadata