sub-agents
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for sub-agent orchestration, but users should be mindful that spawned agents may run in parallel with broad inherited tool access and can receive files or attachments.
This skill appears benign and purpose-aligned, but it gives the agent a framework for delegating work to parallel sub-agents. Before using it, make sure delegated tasks are narrow, avoid passing secrets or unnecessary private files, require sandboxing for risky work, set timeouts for long tasks, and review any saved outputs when announcement suppression is used.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A delegated sub-agent may be able to read, modify, or act through the same tools as the parent agent, depending on the task and runtime configuration.
The skill explicitly says child agents can use nearly all available tools and inherit sandbox behavior unless a stricter sandbox is required.
Sub-agents get all tools EXCEPT session tools ... sandbox | inherit | require
Use precise task specs, set `sandbox: require` for risky work, configure least-privilege tool access where available, and avoid delegating broad or destructive tasks without review.
Files, attachments, or secrets included in a sub-agent task may be processed by another model/session and may also influence the final announcement.
The skill transfers task text, referenced files, and attachments to sub-agent sessions, which is expected for delegation but can expose sensitive information if over-shared.
They only see: 1. The `task` string you provide 2. Whatever files you tell them to read ... 3. Inline `attachments` you pass at spawn time
Pass only the minimum necessary context, avoid including secrets or private files unless required, and specify exactly which paths and outputs the sub-agent may use.
A child agent may keep working while the parent continues, so mistakes or unnecessary work might happen in parallel if the task is poorly scoped.
Sub-agent sessions continue independently after being spawned and are retained by default until archival, though this behavior is disclosed and bounded by the documented session mechanism.
Always non-blocking. Returns `{ status: "accepted", runId, childSessionKey }` immediately ... Auto-archive ... default: 60Use `runTimeoutSeconds`, clear success criteria, and `cleanup: delete` when persistence is not needed; monitor child session results before relying on them.
Delegated work could run under a different configured agent identity with different permissions if allowed by the environment.
The skill documents the ability to spawn work under another agent identity, but also notes it is restricted by an allowlist.
`agentId` ... Spawn under another agent (must be in allowlist)
Only use alternate `agentId` values intentionally, keep the allowlist narrow, and verify which agent identity will perform sensitive actions.
A sub-agent may complete without directly posting its result to the chat, so users may need to rely on the parent agent to summarize or surface the saved output.
The skill documents a mechanism to suppress sub-agent announcements for consolidation by the parent agent. This is disclosed, but it affects user-visible reporting.
Your final reply after writing the file should be ONLY: ANNOUNCE_SKIP
Use announce suppression only when the parent agent will explicitly review and present the results; otherwise require a visible summary.