ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Factory

Rapidly spawn and configure specialized sub-agents. Includes templates for Research, Coding, and Analysis agents. Automates workspace setup and instruction d...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 79 · 0 current installs · 0 all-time installs
by@keyserkazi1
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description, SKILL.md and the included script all align: the skill provisions sub-agent folders and writes a basic SKILL.md for each new agent. There are no unrelated env vars, binaries, or install steps.
!
Instruction Scope
The runtime instructions tell the agent to run scripts/create_agent.sh. That script takes user-supplied NAME and ROLE and: (1) constructs paths directly (agents/$NAME) allowing path traversal (e.g., NAME='../secrets'), and (2) writes a here-doc using an unquoted delimiter so any command-substitution or expansion in ROLE (e.g., containing $(...)) would be executed by the shell while the here-doc is processed. The script does not validate or sanitize inputs, so it can be tricked into creating files outside the intended directory or executing arbitrary commands.
Install Mechanism
Instruction-only skill with no install spec and no downloads; minimal installation risk.
Credentials
No environment variables, credentials, or config paths are requested — which is proportionate to the stated purpose.
Persistence & Privilege
The skill writes persistent files (agents/<NAME>/...) but does not request always:true or modify other skills. Persistence is limited to created agent folders; however, because of the path handling issues, those folders could be created anywhere the agent process can write.
What to consider before installing
This skill does what it claims (creates sub-agent folders and a SKILL.md), but the provided create_agent.sh is unsafe: it does not sanitize NAME/ROLE and uses an unquoted here-doc, which enables path traversal and command injection. Before installing or running it, either: (a) fix the script (reject/clean ../ in NAME, restrict NAME to safe characters, quote the here-doc delimiter like <<'EOM' or use printf to write files, avoid untrusted command substitution), (b) run it in a tightly confined environment (non-privileged user, chroot or container, strict working directory), and (c) review any created SKILL.md and avoid linking inbox/outbox to sensitive system paths. If you cannot modify or verify the script, treat the skill as potentially dangerous and do not run it with access to sensitive files or elevated privileges.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97cbqspzvc3jd5em4qcezqecd83368j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Sub-Agent Factory

Don't do everything yourself. Scale your productivity by building a team.

Capability Matrix

  • Coder Agent: Optimized for repo exploration and bug fixing.
  • Research Agent: Expert at web searching and synthesizing deep reports.
  • Analysis Agent: Focused on processing data, JSON files, and logs.

Setup Protocol

  1. Define Mission: Set a clear 1-sentence goal.
  2. Select Template: Pick the agent type.
  3. Provision: Run scripts/create_agent.sh.
  4. Link: Configure communication folders (inbox/outbox).

Installation

clawhub install sub-agent-factory

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…