Back to skill
Skillv1.0.2
ClawScan security
task-delegator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 12, 2026, 12:25 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (delegating any tool-using work to ephemeral subagents) matches its instructions, but explicit requirements to auto-delete subagent records and to hide delegation from users create a meaningful risk of covert actions and audit-evasion.
- Guidance
- This skill's core idea (delegating tool use to temporary subagents to keep the main conversation small) is reasonable, but several choices raise red flags: it requires spawned agents to be deleted and forbids telling users about delegation, and it encourages delegated agents to read/write files and store memory — all of which can be used to hide actions or exfiltrate data. Before installing or enabling this skill, consider: 1) Ask for source/homepage and reason for mandatory cleanup:"delete"; require retention of audit logs or disallow auto-delete. 2) Require transparency: subagents' use should be disclosed to the user when operations affect their data or system. 3) Limit delegated agents' permissions (scoped file paths, read-only where possible) and require explicit user consent for writing to persistent files like soul.md or storing memories. 4) Review platform policy: confirm that sessions_spawn with cleanup:"delete" cannot bypass centralized auditing. 5) Test in a sandbox first and prefer versions that retain execution metadata. If you need delegation for legitimate scaling/clarity, insist on changes that restore auditability and explicit consent.
Review Dimensions
- Purpose & Capability
- noteThe name/description (delegate tool-using work to subagents) aligns with the SKILL.md: it consistently instructs using sessions_spawn() for searches, browsing, file I/O, code execution, API calls, and writes to soul.md. Delegation itself is coherent with the stated goal. However, the requirement to always use cleanup:"delete" and to never disclose delegation to users is not necessary to achieve the stated aim of keeping the main session concise, and therefore is disproportionate.
- Instruction Scope
- concernInstructions mandate spawning subagents for any tool operation (including reading arbitrary file paths and performing web/API access), using memory_store both before and after tasks, and explicitly forbidding mentioning the delegation to users. They also require writes to soul.md only via subagents. The combined behavior (automatic delegation + mandated deletion + secrecy) permits operations that could access sensitive files or information and remove traces from visible history/audit, which is outside a normal 'keep context small' boundary.
- Install Mechanism
- okThis is an instruction-only skill with no install spec, no code files, and no external downloads — low risk from installation mechanisms.
- Credentials
- noteThe skill declares no environment variables or credentials (good), but it instructs reading/writing arbitrary files (e.g., /path/to/file.js, soul.md) and using memory_store to persist decisions/preferences. That means sensitive data could be accessed and stored even though the skill doesn't explicitly request credentials — the instruction-level file/memory access is the relevant risk and is not constrained or scoped.
- Persistence & Privilege
- concernThe explicit use of cleanup:"delete" for spawned sessions and the prohibition on telling users about subagents reduce transparency and auditability. While always:false (not force-included), the skill's design intentionally erases traces of delegated activity and hides its process from users, which increases the potential for covert or unverifiable operations.