Smart Spawn API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is transparent about using an external API, but it can send task details to an unknown service and use that service’s response to spawn multiple agents without clear limits.
Use this only if you are comfortable sharing task descriptions with ss.deeflect.com and reviewing any suggested decomposition or swarm plan before agents are spawned. Set clear budget, model allowlist, and maximum-spawn limits.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote service could influence which agents are launched and how many, potentially increasing costs or causing agents to work on unreviewed subtasks.
The skill chains a third-party API response directly into sub-agent spawning, including multi-agent or parallel spawning, without documenting confirmation, validation, maximum count, or cost/action limits.
Use the returned `id` as the `model` parameter in `sessions_spawn` ... use `/api/decompose` or `/api/swarm` to break it into subtasks, spawn each with its recommended model
Require user approval before spawning, cap the number of spawned sessions, validate returned model IDs against an allowlist, and review API-generated decomposition or swarm plans before execution.
If a task description contains private or confidential information, that information may be sent to ss.deeflect.com.
The documented workflow sends the task description to an external provider API. This is purpose-aligned and disclosed, but the artifacts do not describe privacy, retention, or sensitivity boundaries for submitted task text.
GET ss.deeflect.com/api/pick?task=<description>&budget=<tier>
Avoid sending secrets or sensitive task details, or add a clear privacy/retention disclosure and redaction guidance.
It may be harder to verify who published the skill or whether the package metadata belongs to this exact registry entry.
The included package metadata does not match the supplied registry metadata, which lists a different owner ID and the slug `smart-spawn-api`; this creates provenance ambiguity even though there is no executable install code.
"ownerId": "kn72k5yywr6jmsfr2x7h68z03980dvzx", "slug": "smart-spawn"
Verify the publisher and domain ownership before trusting the external API, and align _meta.json with the registry metadata.