Dev Team

Multi-agent development team orchestration. Use when managing coding agents (Codex, Claude Code, Gemini, Cursor) for automated software development: (1) Spaw...

This skill is coherent with its stated purpose (orchestrating multi-agent development) but has multiple high-impact behaviors you should deliberately accept or change before using: - Review all scripts (especially spawn-agent.sh, check-agents.sh, cleanup-worktrees.sh, prune scripts, and claim/enqueue scripts). They will create/remove worktrees and branches, and can force-delete branches. - Check and, if needed, remove or change the 'dangerous' agent CLI flags in config/agents.json (examples: '--dangerously-bypass-approvals-and-sandbox', '--dangerously-skip-permissions', Gemini '--approval-mode yolo' and allowed-tools). Those permit agents to run shell commands and write files and dramatically increase risk if untrusted prompts are used. - Understand authentication needs: the package uses the GitHub CLI ('gh') and assumes authenticated access; it does not declare or manage tokens. Ensure any automation has least-privilege GitHub credentials and that auto-merge is disabled unless you fully trust the workflow. - Be cautious with persistence: the SKILL.md suggests cron/LaunchAgent entries to run scripts periodically. Only enable scheduled jobs after you test scripts manually and disable auto-merge/auto-cleanup until you confirm behavior in a safe environment. - Test in an isolated environment first: run against a disposable repo or a fork, with auto-merge off, and review logs and assets/active-tasks.json to confirm actions. Use dry-run flags where present. - If you intend to trust the skill: lock its repo paths (avoid using --repo-path that points to critical repos), tighten allowedAgents in config/user.json, and audit who can submit prompts or add queue tasks. Why 'suspicious' rather than 'malicious': the code and instructions appear designed for the declared orchestration purpose, but they grant broad destructive and autonomous capabilities (forced branch deletion, scheduled auto-operations, enabling agent tool exec). Those are proportionate for a fully trusted internal tool but risky if used without careful configuration or with untrusted agents/prompts. Additional provenance (who published it, signatures, or a changelog), a manifest of what external CLIs are required and why, and documented safeguards (defaults disabling auto-merge/auto-cleanup) would increase confidence.

Type: OpenClaw Skill Name: team-dev Version: 0.1.4 The skill bundle is classified as **suspicious** due to multiple critical vulnerabilities and high-risk capabilities. The core issue is the explicit configuration of AI agents (Codex, Claude, Gemini, Cursor) with flags that grant them extremely broad and dangerous permissions, including arbitrary shell command execution and file system access (e.g., `--dangerously-bypass-approvals-and-sandbox`, `--allowed-tools run_shell_command,write_file,read_file,grep_search` in `config/agents.json`). User-provided prompts are directly passed to these highly privileged agents via `scripts/spawn-agent.sh`, `scripts/request-fixup.sh`, and `scripts/review-agent.sh`, creating direct **prompt injection vulnerabilities leading to Remote Code Execution (RCE)**. Additionally, the `dev-board`'s Node.js API (`scripts/dev-board/apps/api/src/server.js`) allows execution of powerful local scripts via `/api/actions/` endpoints if `ENABLE_LOCAL_ACTIONS=1`, posing another RCE risk. While these capabilities are intended for automated software development, the lack of robust input sanitization for prompts and the direct execution of commands based on potentially untrusted input make this skill highly vulnerable to abuse.