Agent Orchestrator
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is openly designed to create autonomous sub-agents, but it gives them broad authority without clear limits, approvals, or containment.
Install only if you are comfortable with a skill that can coordinate multiple autonomous sub-agents. Before using it, set explicit limits: how many agents may run, which tools they may use, which directories they may access, whether Bash or file edits require confirmation, and when workspaces should be cleaned up.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Multiple sub-agents could keep working in parallel, consume resources, or take actions the user did not specifically review.
The skill explicitly instructs the agent to create and run autonomous sub-agents while recommending only minimal monitoring. The artifacts do not define limits such as maximum agents, timeouts, cancellation, required user approval, or restricted workspaces.
spawning autonomous sub-agents ... For fully autonomous agents, minimal monitoring is needed
Require explicit user approval before spawning agents, define the number of agents, permitted tools, workspace paths, timeouts, and a clear stop/cleanup procedure.
A sub-agent could run commands or read/write files more broadly than intended if the task is too broad or if its instructions are poorly generated.
Generated sub-agent templates can grant broad local file and shell capabilities. The templates do not require per-command approval, path allowlists, or strong separation between input, workspace, and output actions.
Tools Available\n- Read/Write/Edit: File operations\n- Bash: Execute commands, run tests
Constrain each generated sub-agent to only the tools and paths needed for its task, and require approval for Bash, file mutation, network access, or edits outside the designated workspace.
Incorrect or malicious content from one agent could be consumed by another agent or by the orchestrator during consolidation.
The skill uses local files and optional message queues for agent-to-agent communication. This is purpose-aligned, but the protocol does not describe authentication, integrity checks, schema validation, or clear trust boundaries for messages and outputs.
Shared Message Queue (Optional) ... {agent-a}_to_{agent-b}_001.json ... "content": { ... }Treat all agent outputs and messages as untrusted data, validate schemas, record provenance, and avoid allowing one agent’s output to become executable instructions for another without review.
A mistake by one sub-agent could spread into later deliverables or cause multiple agents to act on bad assumptions.
The dependency pattern passes one agent’s outputs into another agent’s inbox. This is expected for orchestration, but bad or poisoned intermediate outputs can propagate through later agents if not carefully validated.
copy_outputs(dep.outbox, agent.inbox) ... spawn_agent(agent)
Validate and summarize intermediate outputs before passing them to dependent agents, and require human review for high-impact transitions.
If the user or agent obtains similarly named scripts from elsewhere, those scripts would be outside this review.
The workflow references helper scripts for creating and dissolving agents, but the provided file manifest contains only SKILL.md and reference documents. Their behavior cannot be reviewed from the supplied artifacts.
python3 scripts/create_agent.py <agent-name> --workspace <path>
Do not run unprovided helper scripts unless their source is trusted and reviewed; prefer documented, built-in workspace creation steps or include the scripts in the reviewed package.