Isolated Multi-Agent Control Plane
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a mostly transparent local blueprint, but its advertised secure multi-agent boundaries rely on editable files and self-declared role names rather than real enforcement.
This does not show exfiltration or destructive malware, but do not treat it as a production security boundary as-is. Use it as a local blueprint, install it only in a controlled directory, avoid placing secrets in shared memory or mailbox files, and add real authentication, file permissions, signed messages, and approval enforcement before using it for autonomous or production workflows.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A task could be marked reviewed, done, blocked, or failed without the intended reviewer or owner controls being reliably enforced.
The task-control script can change task state with an optional actor and minimal role/reviewer validation, so any local agent or process with access to the script can mutate control-plane task status.
t.add_argument('--actor',required=False)
...
d['status']=nxt
...
save(p,d)Do not treat the task state machine as a security boundary. Add authenticated actors, reviewer checks, file permissions, and explicit human approval gates before using it for production automation.
Any local actor with access could claim to be Team Lead and archive mailbox messages, bypassing the intended control-plane authority model.
Privileged mailbox garbage collection is authorized only by comparing the user-supplied --actor value to the string 'team-lead'; the artifacts do not bind that role to a real authenticated agent identity.
gc.add_argument('--actor', required=True)
...
if a.actor != 'team-lead':
raise SystemExit('only team-lead can run mailbox GC')Use OS-level per-agent permissions, signed requests, capability tokens, or another real authentication mechanism for privileged role actions.
An agent could spoof another agent or Team Lead message, causing downstream agents to trust or act on misleading instructions.
Mailbox message origin and destination are accepted from command-line fields. The checksum provides integrity for the written file contents but does not authenticate the sender.
s.add_argument('--sender', required=True)
s.add_argument('--receiver', required=True)
...
'sender': a.sender,
'receiver': a.receiver,Treat mailbox content as untrusted unless sender identity is verified. Add authenticated sender validation, signed messages, strict role lists, and approval checks for sensitive actions.
Information placed in shared memory may be reused across future agent tasks and could influence later decisions.
The blueprint includes persistent cross-agent shared memory, with semantic memory retained indefinitely by default.
retention: episodic_days: 30 semantic_days: -1 archive_days: 180
Avoid storing secrets or private scratchpad content in shared memory, review memory entries periodically, and set finite retention if needed.
Running the installer modifies the selected local directory.
The install helper is user-directed and purpose-aligned, but it writes files into the chosen target directory and enables executable helper scripts.
mkdir -p "$TARGET_DIR" cp -R "$SRC"/* "$TARGET_DIR"/ chmod +x "$TARGET_DIR"/scripts/taskctl.py "$TARGET_DIR"/scripts/mailboxctl.py
Run the installer only against an intended test or project directory, and review the copied files before relying on them.