Build Pipeline
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The visible skill is a coherent build-orchestration workflow, but it relies on other local agents and stores build context in shared files.
This looks like a benign orchestration skill for building agents. Before installing, make sure you trust the local Builder and research-worker skills it will invoke, and avoid including secrets in build requests because prompts and research outputs are written to shared build files.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this skill may cause your agent to rely on other local worker skills that were not reviewed here.
The skill's core workflow depends on external local research-worker instruction files that are not included in the provided artifact. This appears purpose-aligned, but their provenance and contents must be trusted separately.
Before doing anything, read your SKILL.md file: ~/.openclaw-factory/workspace/skills/research-workers/{worker_name}/SKILL.md ... Follow ALL instructions in that file exactly.Review and trust the referenced Builder and research-worker skills before using this pipeline for important builds.
A build request can trigger multiple delegated agent sessions working at once.
The skill directs the agent to spawn multiple sub-agents in parallel. That is central to the build-pipeline purpose, but users should understand that work may happen through delegated agents rather than a single visible chat flow.
Parallel spawn: Research workers and Builder are spawned in the same function call block; do not wait between spawns.
Use this skill only when you intend to delegate the build process to the Builder and research workers.
Any secrets or private details included in the build request may be saved in local build artifacts.
The workflow persists the user's exact prompt and related build context into shared build files. This is expected for orchestration, but the stored content may include sensitive information if the user puts it in the prompt.
Write parse report to: `shared/builds/{build-id}/parse-report.yaml` ... `raw_prompt: [exact user input, verbatim]`Avoid putting passwords, tokens, or other sensitive data in build prompts, and clean up build artifacts if they are no longer needed.
Your build context and research results may be shared with the Builder and worker agents involved in the pipeline.
Research findings and build context are passed between agents using session messaging and shared files. This is consistent with the skill's purpose, but it means build data crosses agent boundaries.
Feed Research to Builder — Send Builder phase 2 task with research findings via `sessions_send`
Confirm that the delegated agents are trusted and appropriate for the data included in the build request.