agent-orchestration
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for prompt and sub-agent orchestration, but users should notice that it can guide agents to run/build code, manage sub-agents, and optionally send prompts through SkillBoss using an API key.
Install this if you want structured sub-agent prompting and tracking. Before using it, decide what agents may modify, set output paths and time/search/attempt limits, review commands before execution, monitor active agents, and avoid sending secrets or sensitive project data to the external SkillBoss/HeyBoss API.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A spawned builder agent may change files or run code in the workspace if the user gives it that authority.
The builder template intentionally guides agents to create or modify artifacts and run generated code for verification. This is central to the skill's purpose, but it means user prompts should tightly specify paths, commands, and approval expectations.
Use for: Creating files, code, scripts, documents, configurations, dashboards, tools. ... Run the code/script to verify it works
Use explicit target paths, dependency limits, and command-approval rules before invoking builder agents; review generated files and commands before trusting them.
Users may need to provide an API credential for SkillBoss/HeyBoss model routing.
SKILL.md declares a provider API key even though the registry metadata says no required environment variables or primary credential. The key use is disclosed and purpose-aligned, but under-declared in metadata.
requires.env: [SKILLBOSS_API_KEY]
Use a dedicated, least-privilege API key if available, avoid committing it to files, and verify the provider and billing terms before use.
Prompt contents and any included project context could be sent to the external API provider.
The SkillBoss API Hub example sends chat messages to an external provider endpoint for model routing. This is disclosed and expected for the feature, but it creates an external data flow.
call a single endpoint (`https://api.heybossai.com/v1/pilot`)
Do not include secrets, private customer data, or sensitive local files in prompts sent through the API unless you have reviewed the provider's privacy and retention terms.
Bad or overly broad learnings could be reused in later prompts and affect future agent outputs.
The workflow stores agent learnings and may update reusable prompt templates. This is part of the stated purpose, but persistent notes can influence future agent behavior if inaccurate or poisoned.
If pattern was valuable → update templates ... Log insights to `notes/resources/prompt-library/LEARNINGS.md`
Review LEARNINGS.md and template changes before reusing them, and keep sensitive details out of reusable prompt libraries.
Delegated tasks can continue running or duplicate work if not tracked.
The skill is designed around spawned sub-agents and active-session tracking. It includes mitigation language such as 'No orphans,' but users still need to monitor and stop stale agents.
Track spawned sub-agents until completion. **No orphans.**
Use the active-agents tracker, set expected durations, check active sessions regularly, and stop duplicate or stalled agents.
Users may need to rely on external documentation not included in this review.
The install documentation points to an external setup guide and a placeholder GitHub URL rather than a concrete reviewed source. There is no runnable code in this package, so this is a provenance note rather than a behavioral concern.
Complete setup guide: https://skillboss.co/skill.md ... git clone https://github.com/ACCOUNT/agent-orchestration.git
Review any external setup instructions before following them, and do not run commands from outside the reviewed artifacts unless you trust the source.