Skillv0.9.4

ClawScan security

Agent Squad 0.9.4 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 2:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and required binaries are consistent with its stated purpose (running persistent AI squads in tmux); it does not request unrelated secrets or unusual installs, but it explicitly runs engines in full-auto mode and gives those engines access to project files — so only point it at trusted projects.
Guidance: This skill appears to be what it says: a local coordinator that runs unattended AI engines in tmux and manages task files. Before installing, consider the following: (1) Only run squads on codebases you trust — the agents run in full-auto and can read, write, execute, and commit changes in the project directory. (2) Remove secrets (API keys, .env, private keys) from any project directories you point the squad at. (3) Engines are started with flags that bypass permission prompts (e.g., --dangerously-skip-permissions); understand the implications and only enable those engines if you accept full automation. (4) If you want isolation, run this skill inside a VM, container, or disposable environment and test with a throwaway repo first. (5) Review the included scripts (start/watchdog/assign/etc.) to confirm behavior for cron registration and auto-restart; if you don't use openclaw, the skill warns and will not register the cron. (6) If you need stricter controls, modify the start/watchdog scripts to remove auto-restart or to restrict the project directory before using. Overall: coherent and self-consistent, but carries expected high operational risk because the agents are intentionally granted broad file-system and execution access.

Review Dimensions

Purpose & Capability: okName/description (persistent AI squads in tmux) match the included scripts and SKILL.md. Requested binaries (python3 and tmux) are reasonable and necessary for creating sessions, writing task files, rendering templates, and running engines. No unrelated environment variables, config paths, or external credentials are requested.
Instruction Scope: noteSKILL.md and scripts explicitly instruct the agent to start tmux sessions, write/read coordination files under ~/.openclaw/workspace/agent-squad, show live tmux output in responses, and send prompts into tmux sessions. This is expected for the stated purpose, but it means the running AI engines will have read/write/execute access to the configured project directory and coordination data. The skill instructs defaulting to the 'claude' engine and to run engines in full-auto modes; it also warns users to keep secrets out of project directories.
Install Mechanism: okNo install spec (instruction-only skill) — scripts are shipped with the skill and nothing is downloaded from external URLs. This is low-risk from an install mechanism perspective. The skill expects external engine binaries to be present on PATH; installing those is outside the skill and is the user's responsibility.
Credentials: okThe skill does not request environment variables, API keys, or credential files. It does rely on engine binaries that may themselves require credentials (e.g., Gemini OAuth), but those are external to the skill and not demanded by it. The lack of required secrets is proportionate to the skill's function.
Persistence & Privilege: okalways:false (not force-included). The skill registers a watchdog via openclaw cron if available, but that is scoped to its own squads. It does not modify other skills or request elevated system-wide privileges. Autonomous invocation by the agent is allowed (default) — expected for skills of this type.