sub-agents
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: sub-agents Version: 1.0.0 The 'sub-agents' skill bundle provides a structured framework for an AI agent to delegate tasks to parallel sub-sessions. It includes comprehensive documentation on model routing (referencing futuristic GPT-5 and Claude models), task specification protocols, and session management tools like `sessions_spawn` and `subagents`. While it includes a mechanism to suppress status updates (`ANNOUNCE_SKIP`), this is presented as a legitimate way to reduce chat noise during parallel processing rather than a stealth tactic. No indicators of data exfiltration, malicious execution, or unauthorized access were found in SKILL.md or the associated reference files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A delegated sub-agent may be able to read, modify, or act through the same tools as the parent agent, depending on the task and runtime configuration.
The skill explicitly says child agents can use nearly all available tools and inherit sandbox behavior unless a stricter sandbox is required.
Sub-agents get all tools EXCEPT session tools ... sandbox | inherit | require
Use precise task specs, set `sandbox: require` for risky work, configure least-privilege tool access where available, and avoid delegating broad or destructive tasks without review.
Files, attachments, or secrets included in a sub-agent task may be processed by another model/session and may also influence the final announcement.
The skill transfers task text, referenced files, and attachments to sub-agent sessions, which is expected for delegation but can expose sensitive information if over-shared.
They only see: 1. The `task` string you provide 2. Whatever files you tell them to read ... 3. Inline `attachments` you pass at spawn time
Pass only the minimum necessary context, avoid including secrets or private files unless required, and specify exactly which paths and outputs the sub-agent may use.
A child agent may keep working while the parent continues, so mistakes or unnecessary work might happen in parallel if the task is poorly scoped.
Sub-agent sessions continue independently after being spawned and are retained by default until archival, though this behavior is disclosed and bounded by the documented session mechanism.
Always non-blocking. Returns `{ status: "accepted", runId, childSessionKey }` immediately ... Auto-archive ... default: 60Use `runTimeoutSeconds`, clear success criteria, and `cleanup: delete` when persistence is not needed; monitor child session results before relying on them.
Delegated work could run under a different configured agent identity with different permissions if allowed by the environment.
The skill documents the ability to spawn work under another agent identity, but also notes it is restricted by an allowlist.
`agentId` ... Spawn under another agent (must be in allowlist)
Only use alternate `agentId` values intentionally, keep the allowlist narrow, and verify which agent identity will perform sensitive actions.
A sub-agent may complete without directly posting its result to the chat, so users may need to rely on the parent agent to summarize or surface the saved output.
The skill documents a mechanism to suppress sub-agent announcements for consolidation by the parent agent. This is disclosed, but it affects user-visible reporting.
Your final reply after writing the file should be ONLY: ANNOUNCE_SKIP
Use announce suppression only when the parent agent will explicitly review and present the results; otherwise require a visible summary.