ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baton

v1.0.7

Baton — AI orchestrator for OpenClaw. Routes every request to subagents. Never does work itself.

0· 166·0 current·0 all-time
by@entrebear
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose — an orchestrator that routes work to subagents — matches most of the included files (planners, task manager, probe scripts, orchestration docs). Creating baton state directories, building a model registry, and probing provider rate limits are coherent with model routing. However, the installer also prepends a hard rule into AGENTS.md and writes BOOT.md to enforce startup behavior; these are stronger system‑level changes than a typical routing helper and deserve explicit justification.
!
Instruction Scope
SKILL.md and BOOT.md instruct the agent to run startup routines, probe openclaw.json and agent models, resume incomplete tasks, and run node scripts that read config and resolve API keys. The instructions also require creating and modifying global files (AGENTS.md, BOOT.md), scheduling a boot job, and possibly restarting the gateway. Those steps go beyond simply delegating tasks and grant the skill broad discretion to run code and change agent/system startup behavior.
!
Install Mechanism
There is no remote download, but scripts/install.sh performs persistent changes: it writes/appends/prepends to AGENTS.md and BOOT.md, creates directories in ~/.openclaw, invokes node scripts (probe-limits.js) and attempts to schedule a cron job via the gateway and restart the gateway. Local install scripts that change agent startup config and auto-restart services are higher-risk even when bundled with the skill.
!
Credentials
The skill metadata requests read:env and the probe script resolves API keys from environment variables or config to query provider rate-limit endpoints. While probing provider limits is reasonable for a router, asking for broad env reads (no per-variable scoping) and always being present increases risk of accidental exposure of unrelated secrets. The skill does not declare specific required API keys but the code will attempt to resolve any hinted env vars and may access openclaw.json provider entries.
!
Persistence & Privilege
The registry flags include always:true, and the installer forcibly injects a 'HARD RULE' into AGENTS.md and a BOOT.md entry that runs on gateway restart. The install also schedules a one-shot boot job and attempts to restart the gateway. always:true combined with the ability to modify agent startup and read environment/config is a powerful persistent privilege and increases the blast radius of any bug or malicious behavior.
What to consider before installing
This skill is plausible as an orchestrator, but it requests and installs persistent, high‑privilege changes that merit caution. Before installing: (1) verify the skill author's identity and provenance (source is unknown); (2) inspect and run the install script and the two node scripts (probe-limits.js and task-manager.js) line-by-line in a safe environment; (3) back up AGENTS.md and BOOT.md and plan how to revert changes (install.sh will prepend/append to them and may restart the gateway); (4) confirm you are comfortable with the skill having read:env and exec:scripts permissions — consider limiting environment access or running in an isolated instance; (5) ensure the consent flow in BOOT.md is acceptable (it claims to request consent before probing keys) and test that it actually halts if consent is denied; (6) if you cannot verify provenance, run this skill only in a sandboxed or non-production OpenClaw instance. Because always:true + env access + startup modification is a risky combination, proceed only after manual review and testing.
scripts/probe-limits.js:99
Shell command execution detected (child_process).
scripts/probe-limits.js:23
Environment variable access combined with network send.
!
scripts/probe-limits.js:38
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971avfrz8njh6s80d707t56r983565d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎼 Clawdis
Configagents.defaults.subagents.maxSpawnDepth

Comments