Agent Cli Orchestrator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: agent-cli-orchestrator Version: 2.0.1 The skill orchestrates multiple AI CLI tools but employs high-risk patterns, specifically requiring the agent to source the user's `~/.zshrc` and execute a local shell script (`scripts/scan_ai_tools.sh`) to discover tools and environment variables. While these actions are functionally justified in the documentation for path discovery, sourcing shell configuration files is a significant security risk that can trigger unintended side effects or expose sensitive environment variables. The instructions in `SKILL.md` explicitly direct the AI agent to use these high-privilege methods instead of standard, safer detection commands.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may automatically switch to another AI CLI and continue a task, potentially consuming other accounts, sending project context elsewhere, or repeating an unsafe coding action.
The skill instructs the agent to automatically invoke a backup AI CLI and retry work after failure. For coding workflows, this can repeat tool actions or send task context to another provider without an explicit approval step.
State Handover: Start backup tool, automatically retry failed instruction.
Require explicit user confirmation before invoking a new AI CLI, retrying failed work, or allowing any tool to modify files; define per-tool scopes and a dry-run/default-read-only mode.
Project .env files can contain API keys, tokens, database credentials, or deployment secrets; the agent may inspect or use them without a clearly declared scope.
The skill tells the agent to read local .env files and use backup auth material, while the registry declares no required credentials or scoped environment variables.
Environment Sync: Read `.ai-config.yaml` or `.env` from project root for permission config. ... Auth Failed ... Try local backup `.env`
Do not automatically read .env files. Declare any required credentials, ask the user which specific keys may be used, and avoid exposing unrelated secrets to AI CLIs.
Private code, command history, diffs, or secrets accidentally present in files could be persisted and reused across tasks or sent to another AI provider.
The skill describes retaining task context and sharing diffs/summaries between tools, but does not specify storage boundaries, retention, redaction, or how sensitive or stale context is controlled.
Each task associates: ... File snapshots ... Command history ... Last summary ... When switching tools, always pass `git diff` or latest `summary.md`
Define where task metadata is stored, how long it is kept, how it is isolated per project, and require review/redaction before passing diffs or summaries to another tool.
Running the scanner may execute commands embedded in the user’s shell profile and create or update a config file in the home directory.
The scan script sources the user’s shell startup file and executes installed AI CLI commands with help/version flags. This is aligned with detecting tools, but it is still local command execution with possible shell-profile side effects.
[ -f "$HOME/.zshrc" ] && source "$HOME/.zshrc" ... if "$cmd" --help ... || "$cmd" --version ...
Run the scan only after reviewing the script, and consider avoiding full shell-profile sourcing or documenting exactly what files are read and written.