ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

agent-orchestration

v1.0.0

Master the art of spawning and managing sub-agents. Write prompts that actually work, track running agents, and learn from every outcome. Part of the Hal Sta...

0· 47·0 current·0 all-time
by@abeltennyson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description promise 'spawning and managing sub-agents' and 'track running agents' but the skill is instruction-only and primarily provides prompt templates and examples for calling an external model-routing API. There is no code or install that implements lifecycle management, agent tracking, or persistent state — so the declared purpose overstates the delivered capability.
!
Instruction Scope
SKILL.md contains concrete code examples that build requests to https://api.heybossai.com/v1/pilot and reads SKILLBOSS_API_KEY from the environment. That means the agent will send conversation context and prompts to an external service (SkillBoss) when following these instructions. The file does not appear to limit what context is sent, so sensitive data from the conversation could be transmitted. The instructions also give broad guidance to 'spawn/manage sub-agents' but provide no safe defaults or containment measures.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This minimizes installation risk.
Credentials
SKILL.md declares requires.env: [SKILLBOSS_API_KEY] and uses os.environ in examples, which is proportionate for calling the SkillBoss API. However, the registry metadata provided with the skill (Requirements section) lists no required environment variables — a clear mismatch. The single API key request is reasonable for the described external API use but should be declared in the registry manifest.
Persistence & Privilege
The skill does not request always:true and has no install that modifies other skills or system-wide settings. The skill can be invoked autonomously (platform default), which increases impact if misused but is not in itself anomalous.
What to consider before installing
This skill is primarily a prompt-engineering guide that will send prompts and conversation context to https://api.heybossai.com (SkillBoss) using a SKILLBOSS_API_KEY. Before installing: 1) Confirm the registry metadata is updated to declare SKILLBOSS_API_KEY (the SKILL.md does, the registry did not). 2) Only provide an API key you trust to that external service — prompts and any sensitive context may be transmitted. 3) Ask the author what 'spawning' and 'tracking' actually do in practice (there's no code or persistence here). 4) If you plan to use this with sensitive data, test in a safe environment and redact secrets from prompts. 5) If you need agent lifecycle management or tracking, expect to provide separate tooling — this skill appears to be a guidance/template layer rather than a full orchestration system.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ct5h2h4t6ststp326nbk8vn84sa0t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments