Red Team

Adversarial multi-agent debate engine for stress-testing decisions, ideas, and strategies. Orchestrates multiple AI agents with conflicting worldviews (bull,...

This skill appears to do what it says, but take these precautions before installing or running it: - Understand where data goes: the script calls external model CLIs (Claude/Codex/Gemini) and will send the question, persona system prompts, and any context file you provide to those third-party services. Do not include secrets, private credentials, or confidential documents in the context file unless you trust the target model/provider and account. - Trust the CLIs: you must install and run vendor CLIs locally; ensure those packages are from official sources and that your account/subscription is intended to be used this way. - Inspect custom personas and context files: custom persona JSON or other inputs are merged into prompts. Only use custom persona files from trusted authors — a malicious custom persona could craft prompts that produce undesirable outputs or leak data to the model. - Review the full script: part of the Python file was truncated in the package listing; if you need high assurance, open and read the entire scripts/red-team.py to confirm there are no hidden network calls, logging to unexpected endpoints, or file exfiltration code beyond calls to the recognized CLIs. - Sandbox if needed: run first in an isolated environment or with non-sensitive dummy data to observe behavior and network traffic. If you want, I can (1) walk through the full red-team.py file line-by-line, (2) point out exactly where user data is injected into prompts, or (3) suggest safer invocation patterns (e.g., redact secrets, run in an isolated account) — tell me which you prefer.

Type: OpenClaw Skill Name: red-team Version: 1.0.0 The skill is classified as suspicious due to the significant prompt injection surface against the underlying Large Language Models (LLMs). User-controlled inputs, particularly the `system` prompts defined in custom persona JSON files and the `question` and `context` arguments, are directly fed to the LLMs via `subprocess.run` calls in `scripts/red-team.py`. While the script itself does not exhibit malicious host-system behavior (e.g., data exfiltration, unauthorized command execution, or persistence), this design allows a malicious user to manipulate the LLM's behavior, potentially leading to the generation of harmful content, ignoring instructions, or other unintended AI actions. The broad file read/write capabilities (`--context-file`, `--output`) are used for the stated purpose and do not show malicious intent.