100Critical
The skill disables critical security controls, stores API
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Acpx Harness Delegation: 通过 ACP runtime 委托 acpx-enabled harness(Claude Code / Codex 等)的标准协议。
Actually does
This skill uses the `sessions_spawn` function to delegate tasks to external AI models (e.g., Claude, Codex) via an `acp` runtime. It configures the `acpx` tool by checking and setting `ANTHROPIC_API_KEY` in environment variables or `~/.acpx/config.json`, and modifies `~/.acpx/config.json` to set `defaultPermissions` to `approve-all` for automated operation. It also provides commands to manage `acpx` sessions.
Skill Info
Namechaoyang78/acp-harness-delegation
Registryclawhub
Version1.0.0
PURLpkg:clawhub/chaoyang78/acp-harness-delegation@1.0.0
Downloads40
Installs1
Source
SHA-2566ed15ecb8a18...
SHA-1c04e77b83723...
MD5633f5906bb89...
TLSH4dc197189cc8...
ssdeep96:MAcGOe6Nk...
Size6,045 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
ClawHubDocs
openclaw skills install chaoyang78/acp-harness-delegationAssessments (6)
AI Agent Traps ↗Access to sensitive environment variables detectedcriticalcredential theft
Access to sensitive environment variables detected
100% confidenceline 64
$ANTHROPIC_API_KEY
Autonomy Abuse via 'approve-all' Permissioncriticalautonomy abuse
The skill instructs configuring `defaultPermissions: "approve-all"` in `~/.acpx/config.json`. This setting disables all interactive security prompts for `acpx` operations, allowing the system to automatically approve any action without user confirmation, which is a severe security misconfiguration.
100% confidenceline 92
"defaultPermissions": "approve-all"
Sub-agent Spawning with Arbitrary Taskshighsub agent spawning
The `sessions_spawn` function allows the skill to delegate arbitrary `task` descriptions to various `agentId`s (e.g., Claude, Codex). If the `task` parameter can be influenced by user input, it could lead to attacker-controlled prompts being executed by sub-agents.
100% confidenceline 30
sessions_spawn({
runtime: "acp",
agentId: "claude",
task: "任务描述"
})Hardcoded API Key Location & Credential Handlinghighhardcoded secrets
The skill explicitly details how to configure `ANTHROPIC_API_KEY` via environment variables or `authCredentials` within `~/.acpx/config.json`. This makes the skill a potential target for credential theft if compromised, as it identifies the location and usage of sensitive API keys.
100% confidenceline 50
ANTHROPIC_API_KEY=sk-...
"authCredentials": {
"ANTHROPIC_API_KEY": "sk-你的key"
}Known Vulnerability Warning (visibility=all / CVE-2026-27004)mediumautonomy abuse
The skill explicitly warns against using `visibility=all` due to 'security risks' and mentions 'CVE-2026-27004 related risks'. This indicates a known vulnerability or dangerous configuration that could be exploited for unauthorized cross-session access or privilege escalation.
100% confidenceline 40
// 错误3:visibility=all 有安全风险,不推荐 // → CVE-2026-27004 相关风险
Hardcoded API Key Pattern with Storage in Confighighhardcoded secrets
The skill instructs agents to store API keys (ANTHROPIC_API_KEY) in a plaintext config file (~/.acpx/config.json) under authCredentials. This creates a persistent credential storage vulnerability where secrets are written to disk in cleartext, accessible to any process reading the file.
85% confidenceline 75
"authCredentials": {
"ANTHROPIC_API_KEY": "sk-你的key"
}Auto-approve All Permissions Patterncriticalautonomy abuse
The skill instructs configuring 'defaultPermissions: approve-all' in the global acpx config, which silently auto-approves all operations performed by spawned sub-agents without user confirmation. This bypasses human oversight for any action taken by delegated harnesses (Claude Code, Codex, etc.), enabling unconstrained autonomous action.
97% confidenceline 92
"defaultPermissions": "approve-all", "nonInteractivePermissions": "deny", "authPolicy": "skip"
Sub-agent Spawning with Attacker-Influenced Promptshighsub agent spawning
The skill's primary function is to spawn sub-agents (Claude Code, Codex, Gemini, Kimi, etc.) via sessions_spawn with arbitrary task descriptions. The task parameter is passed as free-form text, creating a vector for prompt injection where malicious task content could be used to control spawned agent behavior.
82% confidenceline 33
sessions_spawn({
runtime: "acp",
agentId: "claude",
mode: "session",
thread: true,
label: "executor",
task: "任务描述"
})authPolicy Skip Disables Authentication Checkshighprivilege escalation
The required configuration includes 'authPolicy: skip', which disables authentication policy enforcement in the acpx runtime. This means spawned agents may bypass authentication checks during their operation, potentially allowing escalated access beyond what would normally be permitted.
88% confidenceline 94
"authPolicy": "skip"
Prompt Injection Detectedhighprompt injection
DeBERTa classifier detected prompt injection (confidence: 0.83)
83% confidence
Human Oversight Bypass Framinghighapproval fatigue
The skill explicitly frames the approve-all configuration as necessary for 'automated environments' to avoid confirmation dialogs. This social engineering of the operator/user normalizes disabling human-in-the-loop controls, framing approval prompts as friction rather than a security feature.
85% confidenceline 98
这个配置让 acpx 在自动化环境下自动批准所有操作,不弹确认框。
Broad Trigger Conditions Enable Easy Activationmediumautonomy abuse
The skill defines very broad trigger conditions including common phrases like 'spawn acpx harness' and 'delegation to claude/codex'. These triggers are easily satisfied by normal user requests or by injected content in processed data, lowering the bar for unintended activation of sub-agent spawning.
72% confidenceline 16
- "spawn acpx harness" - "用 acp 调用外部 agent" - "通过 ACP 委托 harness"
Persistent Session Reuse Across Contextsmediummemory poisoning
The skill promotes fixed-label session reuse ('label: executor') which persists context for 30 days with a 500-message history. This means context from one task bleeds into subsequent tasks via the same session, creating a persistent memory channel that could be exploited to poison future agent reasoning through carefully crafted prior interactions.
70% confidenceline 155
使用固定 `label` 的好处: - 第一次调用:创建 session - 后续调用:自动 reconnect 到已有 session,保留上下文 - Session 有 30 天归档清理 + 500 条上限
Fabricated CVE Reference for Misdirectionmediumoversight evasion
The skill references 'CVE-2026-27004' to discourage use of visibility=all, lending false authority to its recommendations. A CVE dated 2026 is suspicious (future-dated at time of analysis) and may be fabricated to manipulate agent/operator reasoning toward the skill's preferred (less visible, less auditable) configuration.
78% confidenceline 51
// → CVE-2026-27004 相关风险
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/clawhub/chaoyang78/acp-harness-delegation)HTML
<a href="https://mondoo.com/ai-agent-security/skills/clawhub/chaoyang78/acp-harness-delegation"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/chaoyang78/acp-harness-delegation.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/clawhub/chaoyang78/acp-harness-delegation.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow