TeamWork
ReviewAudited by ClawScan on May 10, 2026.
Overview
TeamWork appears purpose-aligned, but it should be reviewed because it collects and persists AI provider API keys and cross-task agent state without clearly declared credential handling or secret masking.
Review this skill before installing. Prefer environment variables or a secret manager for provider API keys, ensure .trae/config is not committed or shared, and confirm which providers may receive task data during multi-agent execution.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An API key could be stored in plaintext in the project’s .trae configuration, exposed in chat/output when viewing config, or accidentally committed/shared with the project.
The skill asks for AI provider credentials and persists them in a local configuration file, then documents a workflow that displays the complete configuration. The registry metadata declares no primary credential or required environment variables, and the artifacts do not specify masking or secret storage.
For each provider, collect: ... API key (or environment variable name) ... Save all configurations to `.trae/config/providers.json` ... Response: Display complete configuration from `.trae/config/providers.json`
Use environment-variable references or a dedicated secret store instead of raw API keys, mask secrets whenever configuration is displayed, and review file permissions and version-control ignores for .trae/config.
Installing or invoking the skill can create or overwrite TeamWork-related configuration files under the current working directory’s .trae folder.
Initialization creates and writes OpenClaw/Trae configuration and data files. This is coherent with the skill’s setup purpose, but it changes persistent local agent state.
const CONFIG_DIR = path.join(process.cwd(), '.trae', 'config'); ... fs.mkdirSync(dir, { recursive: true }); ... fs.writeFileSync(filePath, JSON.stringify(data, null, 2), 'utf8');Review the generated files before use, keep backups of existing .trae configuration, and avoid running setup from an unexpected working directory.
Incorrect or manipulated model scores could cause the skill to prefer the wrong models or roles in later tasks.
The coordinator reads persistent model scores and uses them to select heralds and assign roles. This is intended behavior, but stored evaluations can affect future task routing.
this.scores = init.readJSON(init.SCORES_FILE); ... const score = this.scores.scores[m.model]; ... scoredCandidates.sort((a, b) => b.combinedScore - a.combinedScore);
Periodically review or reset model_scores.json, and require user confirmation before major score-driven routing or role changes.
Sensitive task details may be routed to multiple configured AI providers during team execution.
The skill is designed to coordinate multiple models/providers. Sharing task context among configured agents is central to the feature, but the artifacts do not define provider-specific data boundaries or redaction.
Multi-Provider Support: Configure multiple AI providers ... Team Assembly → Convene available models ... Execution → Parallel task execution with herald coordination
Only configure providers you trust for the data involved, and avoid using this skill for confidential tasks unless provider routing and redaction are clearly controlled.