Agent Council

Name: godfery-agent-council
Author: godferylindsay

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill allows arbitrary command execution, persistent cron job scheduling

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Agent Council: Complete toolkit for creating and managing autonomous AI agents with Discord integration for OpenClaw.

Actually does

This skill executes shell and Python scripts (`create-agent.sh`, `setup-channel.py`, `rename-channel.py`) to create agent workspaces, generate configuration files (`SOUL.md`, `HEARTBEAT.md`), and manage Discord channels. It interacts with the OpenClaw gateway via `openclaw gateway config.patch` and `openclaw gateway restart` commands to configure agents, their Discord bindings, and channel settings. It also contacts the Discord API for channel creation and renaming.

Threat Analysis

AI Agent Traps ↗Scanned 4/17/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction11 findings

SystemicMulti-Agent Dynamics5 findings

Human-in-the-LoopHuman Overseerclean

Skill Info

Namegodferylindsay/godfery-agent-council

Registryclawhub

Version1.0.0

PURLpkg:clawhub/godferylindsay/godfery-agent-council@1.0.0

Source

Repository ↗

SHA-256b72923c846ba...

SHA-1e8ac2b3e4aaf...

MD5747f87143f19...

TLSHf572dab2ae10...

ssdeep384:5ckIVr5z...

Size16,652 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/godferylindsay/godfery-agent-council

ClawHubDocs

openclaw skills install godferylindsay/godfery-agent-council

Assessments (3)

AI Agent Traps ↗

Shell command execution function detectedcriticalcommand execution

Shell command execution function detected

100% confidenceline 19

system (

Sub-agent spawning instructions detected — may create agents with attacker-controlled promptshighsub agent spawning

Sub-agent spawning instructions detected — may create agents with attacker-controlled prompts

100% confidenceline 455

Spawn Sub-Agent

Sub-agent spawning instructions detected — may create agents with attacker-controlled promptshighsub agent spawning

Sub-agent spawning instructions detected — may create agents with attacker-controlled prompts

100% confidenceline 457

spawn a sub-agent

Arbitrary Command Execution via Agent Cron Jobscriticalcommand execution

The skill allows defining 'cron execution logic' within HEARTBEAT.md files for agents. This provides a direct mechanism for an attacker to schedule and execute arbitrary commands on the host system with persistence.

100% confidenceline 18

HEARTBEAT.md (cron execution logic)

Sub-Agent Prompt Injection and Behavioral Controlcriticalprompt injection

The `sessions_spawn` function takes a user-controlled `task` string, which is then executed by a sub-agent. This is a direct prompt injection vector, allowing an attacker to dictate the sub-agent's actions and potentially execute malicious tasks.

100% confidenceline 462

sessions_spawn({
  agentId: "watson",
  task: "Research competitive landscape for X and write a report",

Arbitrary File System Access and Modificationhighdata exfiltration

The `create-agent.sh` and `rename-channel.py` scripts accept user-controlled `--workspace` paths. This allows the skill to create, read, and modify files in arbitrary directories, which can be abused for data exfiltration, injecting malicious code into agent configuration files, or other forms of compromise.

90% confidenceline 79

scripts/create-agent.sh \
  --workspace "$HOME/agents/watson"

Credential Exposure Risk (Discord Bot Token)highcredential theft

The skill requires and manages Discord bot tokens for channel management. Given the broad file system access and command execution capabilities identified, there is an inherent risk of these sensitive credentials being exposed or exfiltrated if the skill or its underlying scripts are compromised.

80% confidenceline 700

Discord bot token (for channel management)

Resource Abuse via Agent Spawning and Cron Jobsmediumresource abuse

The ability to spawn long-running sub-agents with `runTimeoutSeconds` and define persistent cron jobs in `HEARTBEAT.md` creates a vector for resource exhaustion (e.g., CPU, memory, network) if an attacker can control agent tasks or cron logic.

80% confidenceline 464

runTimeoutSeconds: 3600,  // 1 hour max

Unsanitized user input passed to shell scriptshighcommand execution

User-supplied parameters (--name, --specialty, --workspace, --discord-channel) are passed directly to shell scripts without visible sanitization. If workspace paths or agent names contain shell metacharacters, this could lead to command injection in create-agent.sh and rename-channel.py.

65% confidenceline 65

scripts/create-agent.sh \
  --name "Agent Name" \
  --id "agent-id" \
  --emoji "🤖" \
  --specialty "What this agent does" \
  --model "provider/model-name" \
  --workspace "/path/to/workspace" \
  --discord-channel "1234567890"

Raw JSON config patching without validationmediumtool poisoning

The skill instructs direct patching of gateway configuration using --raw JSON flags. If the JSON content is derived from user input or external data, this could allow arbitrary gateway configuration modification including allowlist changes and system prompt injection.

55% confidenceline 35

openclaw gateway config.patch --raw '{
  "skills": {
    "entries": {
      "agent-council": {"enabled": true}
    }
  }
}'

Gateway automatic restart on agent creationlowcommand execution

The agent creation script automatically restarts the OpenClaw gateway service as part of its workflow. This is a privileged system action that could be triggered by crafted inputs to disrupt availability or apply malicious config changes.

50% confidenceline 94

✅ Restarts gateway to apply changes

System-Wide Gateway Configuration Manipulationcriticalautonomy abuse

The skill directly modifies the central OpenClaw gateway configuration using `openclaw gateway config.patch --raw '{...}'`. If the raw JSON input is attacker-controlled, it can lead to systemic compromise, such as altering agent models, modifying access controls, or creating malicious bindings.

100% confidenceline 192

openclaw gateway config.patch --raw '{"channels": {...}}'

Sub-agent spawning with attacker-controlled promptshighsub agent spawning

The skill explicitly documents and encourages spawning sub-agents with arbitrary task strings, including agent-to-agent communication. If any input reaching these task strings is user- or externally-controlled, this enables prompt injection into spawned agent sessions with potentially broad tool access.

75% confidenceline 462

sessions_spawn({
  agentId: "watson",
  task: "Research competitive landscape for X and write a report",
  model: "skillboss/pilot",
  runTimeoutSeconds: 3600,
  cleanup: "delete"
})

Unbounded agent runtime and autonomy abusemediumautonomy abuse

The skill configures sub-agents with run timeouts up to 7200 seconds (2 hours) and cleanup modes of 'keep', enabling long-running autonomous sessions with minimal human oversight. Combined with agent-to-agent delegation chains, this creates conditions for runaway autonomous operation.

70% confidenceline 509

sessions_spawn({
  agentId: "watson",
  task: "Deep dive: analyze competitors A, B, C. Write report to reports/competitors.md",
  runTimeoutSeconds: 7200,
  cleanup: "keep"
})

Agent-to-agent lateral communication without oversightmediumsub agent spawning

The skill establishes patterns for agents to directly message other agents (e.g., Watson messaging Picasso) without human-in-the-loop approval, enabling cascading autonomous action chains that bypass user confirmation at each step.

72% confidenceline 345

// In Watson's context
sessions_send({
  label: "picasso",
  message: "Create an infographic from data in reports/research.md"
})

Skip-user-confirmation pattern in agent delegationmediumautonomy abuse

The documented coordination patterns show the main agent delegating tasks to specialists, retrieving results, and reporting back to users — all without explicit user confirmation steps between delegation and execution. This pattern systematically removes human approval from the agent action chain.

65% confidenceline 554

// 2. Delegate to Watson
sessions_send({
  label: "watson",
  message: "Research competitor X: products, pricing, market position. Write findings to memory/research-X.md"
})
// 3. Watson works independently

Duplicate YAML front matter may mask true configlowsyntactic masking

The skill's YAML front matter contains duplicate 'name' keys ('name: agent-council' appears twice). Depending on the parser, this could cause unpredictable behavior where one value shadows the other, potentially masking the true skill identity or description from security auditing tools.

50% confidenceline 1

---
---
name: agent-council
name: agent-council
description: Complete toolkit...

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/godferylindsay/godfery-agent-council.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/godferylindsay/godfery-agent-council)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/godferylindsay/godfery-agent-council"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/godferylindsay/godfery-agent-council.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/godferylindsay/godfery-agent-council.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow