Skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is coherent, but it asks the AI to install and run an unpinned external multi-agent/MCP system with broad automatic code/file tools and persistent memory.
Install only if you trust the upstream Ruflo/Claude-Flow package. Prefer pinned versions, inspect the installer before running it, use a disposable or version-controlled workspace, keep API keys limited and monitored, and disable or regularly clear persistent memory if working with private code or secrets.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised upstream installer could execute arbitrary commands and alter Claude Code configuration under the user’s account.
The recommended path lets the AI run a mutable remote installer directly through bash, without a pinned version, hash, or reviewed install spec in the provided artifacts.
> **AI 可自动执行** ... curl -fsSL https://cdn.jsdelivr.net/gh/ruvnet/ruflo@main/scripts/install.sh | bash -s -- --full
Do not allow automatic installation; inspect the script/package first, pin to a trusted version or commit, and prefer a reviewed install spec or isolated environment.
An agent or hook could modify project files or run code in ways the user did not explicitly review, especially during broad refactor, testing, or security-scan tasks.
The skill documents agents with file read/write and code execution tools plus automatic lifecycle orchestration, but does not define per-directory limits, approval gates, or safe execution boundaries.
tools: ["read_file", "write_file", "execute_code"] ... Claude-Flow 的 Hook 系统会自动:识别任务类型、选择合适的智能体组合、协调执行并整合结果
Use it only in a disposable or version-controlled workspace, require confirmation before file writes or command execution, and restrict tools to the minimum needed for each task.
Private project details, mistaken outputs, or poisoned instructions could persist and influence future tasks.
The skill says successful patterns are automatically stored in persistent vector memory and reused later, but the artifacts do not bound what is stored, retention, exclusions, or cross-task reuse.
知识复用 — 成功模式自动存入向量记忆,未来同类任务直接复用 ... HNSW 向量搜索 + SQLite 持久化
Before use, confirm where memory is stored, how to disable it, how to delete it, and what project files or task contents are excluded from indexing.
Provider keys may expose paid LLM accounts or incur API costs if misconfigured or used by broad autonomous workflows.
Provider API keys are expected for a multi-LLM orchestration tool, but they are sensitive credentials and are not declared in the registry metadata.
npx ruflo@latest config set provider anthropic --api-key $ANTHROPIC_API_KEY ... openai --api-key $OPENAI_API_KEY ... google --api-key $GOOGLE_API_KEY
Use dedicated, limited-scope API keys where possible, avoid committing .env files, monitor usage and spending, and remove keys from configuration when no longer needed.
Task context or code details may be shared among agents and MCP tools in ways that are not obvious from a single user prompt.
The skill is explicitly built around many agents, swarm topologies, and MCP integration, but the documentation does not spell out identity, origin, or permission boundaries between agents and tools.
可在 Claude Code 会话中直接协调 100+ 专业智能体 ... 蜂群拓扑(层级/网状/环形/星形)... MCP 原生集成
Start with non-sensitive projects, review enabled MCP tools, and avoid giving swarms secrets or production credentials unless the communication boundaries are understood.