Skills
skills/agentscope-ai/hiclaw/project-management/Gen Agent Trust Hub

project-management

Warn

Audited by Gen Agent Trust Hub on Apr 6, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill includes instructions to bypass human oversight in certain conditions. Evidence: references/create-project.md contains a 'YOLO mode' directive: 'The admin is unavailable and cannot be reached. Do NOT wait — auto-confirm immediately...'. This instructs the AI to bypass a required confirmation gate and proceed with project activation autonomously.
  • [CREDENTIALS_UNSAFE]: The skill accesses sensitive local files and environment variables containing credentials. Evidence: scripts/create-project.sh reads secrets from /data/hiclaw-secrets.env and uses environment variables HICLAW_MANAGER_PASSWORD and HICLAW_ADMIN_PASSWORD to perform automated logins to the Matrix service.
  • [COMMAND_EXECUTION]: The skill executes shell scripts that modify agent configurations and interact with system utilities. Evidence: scripts/create-project.sh modifies the agent configuration file /root/hiclaw-fs/agents/manager/openclaw.json to dynamically update the groupAllowFrom access control list. Evidence: The skill utilizes curl for API interactions and mc (MinIO client) for file synchronization across several reference documents.
  • [DATA_EXFILTRATION]: The skill transmits project-related data to remote storage and communication services. Evidence: Project metadata and plans are synchronized to a MinIO bucket via mc mirror operations. Evidence: User IDs and project details are transmitted to a Matrix server via API calls in scripts/create-project.sh and references/plan-changes.md.
  • [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection through the processing of external task results. Ingestion points: references/task-lifecycle.md (Step 3a) reads result.md and meta.json files which are authored by other agents (Workers). Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present when parsing these files. Capability inventory: The skill has the capability to execute shell commands, modify agent configurations, and perform network operations based on the project state. Sanitization: There is no evidence of sanitization or strict schema validation for the summaries or status fields read from worker-generated files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 6, 2026, 08:12 AM