Colony
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Colony mostly matches its multi-agent purpose, but it can launch long-running delegated agents, perform high-impact ops-style tasks, and send automatic Telegram notifications, so users should review its controls before installing.
Install only if you are comfortable with a skill that starts delegated OpenClaw agents, stores reusable agent memory, and may send task notifications externally. Before use, inspect notification settings, restrict tool permissions for the ops/shell agent, run it in a safe workspace, and require human approval for deployments or destructive changes.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad notification configuration could execute unintended local commands when a checkpoint, completion, or failure notification is sent.
The notification target comes from configuration and is interpolated into a shell command, while only the message is escaped. A malformed or attacker-influenced target could cause unintended shell execution when notifications run.
const target = config.notifications?.target || 'YOUR_PHONE_NUMBER'; ... const cmd = `openclaw message send --channel telegram --target '${target}' --message '${escapedMessage}'`; ... execSync(cmd, {Disable notifications unless needed, inspect the notification target carefully, and prefer a version that uses spawn/execFile with argument arrays plus target validation instead of shell string interpolation.
If used with broad OpenClaw/tool permissions, an assigned agent could alter local projects, git state, deployments, or other systems.
The skill explicitly supports delegating deployment and system operations to an agent, which can be high-impact. The provided artifacts do not show clear per-action approval, sandboxing, rollback, or scope limits for those operations.
node scripts/colony.mjs assign shell "deploy the staging branch" ... **shell** | ops | Git, deployments, system tasks
Use this only in trusted workspaces, restrict tool permissions for delegated agents, and require explicit human approval before deployments, deletes, commits, pushes, or system changes.
Delegated work can keep running asynchronously, making it easier to lose track of active tasks or tool use.
The worker is designed to run delegated agents in the background for up to 30 minutes. This matches the orchestration purpose, but users should know tasks may continue after the foreground command returns.
Colony Worker - Background agent execution handler ... Spawned by colony.mjs to run agents without blocking the CLI. ... --timeout 1800
Monitor active runs and task status, cancel runs you no longer want, and avoid giving background agents broad permissions.
Process names, run IDs, stage names, and error snippets may be sent through an external messaging channel.
Notifications are enabled by default in the fallback config and send checkpoint, completion, or failure messages through Telegram. This external data flow is not reflected in the registry credential or capability declarations.
notifications: { enabled: true, on_checkpoint: true, on_complete: true, on_failure: true } ... openclaw message send --channel telegramReview or disable notification settings before use, avoid putting secrets in process names or task errors, and ensure the configured target is trusted.
Incorrect, stale, or maliciously added memory entries could bias later tasks or steer agents away from your intent.
Per-agent memory and global context are loaded into future agent prompts. This is a disclosed learning feature, but persistent notes can influence future agent behavior.
const agentMemory = getAgentMemory(agentName); const globalContext = getGlobalContext(); ... memorySection = `\n\n## Your Memory (lessons from past tasks)`
Periodically review the colony/memory files, shared learnings, and global context; remove entries that look like commands, secrets, or untrusted instructions.
Dependency behavior could change depending on the installed package version.
The skill includes an external npm dependency specified with a semver range. If installed, the resolved package version can vary unless locked.
"dependencies": { "js-yaml": "^4.1.1" }Use a lockfile or pinned dependency version, and install dependencies only from trusted registries.