Claude Managed Agents
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears coherent and purpose-aligned, but it gives an agent powerful access to your Anthropic Managed Agents account, files, and session resources.
Use this only if you intend to manage Anthropic Managed Agents from this machine. Use a scoped API key, keep the API base URL trusted, upload only selected files, verify MCP/vault/GitHub-token configuration, and require explicit confirmation before deleting resources or allowing pending tool actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs bundled Python code on the local machine.
The skill expects the agent or user to execute a bundled local Python helper. This is central to the stated purpose and not hidden, but it is still local code execution.
Run it with Python 3: ```bash python3 ~/.openclaw/skills/claude-managed-agents/scripts/managed_agents.py --help ```
Run it only from the expected skill directory, avoid elevated privileges, and review the script if source provenance is important.
A valid API key can create, modify, list, archive, or delete Managed Agents resources within the account.
The helper reads an Anthropic API key and sends it to the configured API base URL. This is expected for the Anthropic integration, but the key grants account authority.
API_BASE_URL = os.environ.get("ANTHROPIC_API_BASE_URL", "https://api.anthropic.com") ... "x-api-key": self.api_keyUse a scoped Anthropic key where possible, keep ANTHROPIC_API_BASE_URL pointed at a trusted endpoint, and do not expose tokens in shared logs or command history.
Mistaken or over-broad use could delete resources, alter agent behavior, or approve actions inside a managed session.
The skill intentionally exposes high-impact account and session operations, including deletion and approval/confirmation of managed-agent tool use.
agents - create - update - retrieve - list - list versions - archive - delete ... session events - send user messages - interrupt and redirect - ... - send tool confirmations
Confirm IDs and intent before mutations, prefer archive over delete, inspect recent events before confirmations, and require explicit user approval for destructive or high-impact actions.
External MCP servers or repository mounts may expose prompts, data, or credentials to additional services if configured carelessly.
The skill supports connecting agents to MCP servers and mounting GitHub repositories with authorization tokens. These flows are purpose-aligned but cross service and trust boundaries.
--mcp-server 'playwright=https://mcp.example.com/playwright'
...
"authorization_token": "${GITHUB_TOKEN}"Use only trusted MCP endpoints, pass least-privilege repository tokens, and verify what data or vaults are attached to each session.
Sensitive session content may remain available in the provider account unless the user chooses deletion where appropriate.
The documentation states that session history and event records can persist after archiving, which can preserve sensitive prompts, tool outputs, or mounted-resource context.
- archived sessions preserve history and block new events - deleted sessions permanently remove session record, events, and associated container
Avoid sending unnecessary secrets or private files into sessions, and choose archive versus delete based on retention needs.