Agent Weave
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a local JavaScript master-worker agent orchestration library, with no evidence of credential theft, data exfiltration, or destructive behavior, but users should verify the npm package and manage long-running workers and local logs carefully.
Before installing, verify the npm package and CLI entry point, and avoid global installation unless needed. When using the library, run only trusted task functions, set worker/time limits and cancellation behavior, and treat generated agent logs/state files as potentially sensitive.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The CLI may not work as documented, and users could install a package whose entry points or provenance they have not independently verified.
The package's documented CLI entry point is inconsistent with the files reported in the artifacts, and the skill also directs users to install via npm. This is an install/provenance issue users should verify, not evidence of hidden malicious behavior.
Problem: Package.json specifies "weave": "bin/weave" but the file `bin/weave` does not exist.
Verify the npm package name, version, repository, and CLI entry points before installing; prefer a project-local install unless a global CLI is truly needed.
Long-running workers can consume CPU, memory, or terminal/process time if they are not cancelled or bounded.
The design explicitly supports child agents with no runtime timeout and long-running promise/event behavior. This is disclosed and purpose-aligned for an agent cluster framework, but it can keep work running until manually cancelled.
- 子Agent运行时不设置超时限制 - 使用长期运行的Promise/事件机制 - 支持手动取消/终止
Use explicit worker counts, timeouts, heartbeat checks, and cancellation paths when running tasks, especially for untrusted or expensive workloads.
Sensitive task details may be stored locally in log or state files if users include secrets or private data in agent messages/results.
Agent logs and state are persisted to local files by default. This is normal for monitoring and debugging, but task names, errors, results, or messages could remain on disk.
logDir: config.logDir || './agent-logs' ... fs.appendFileSync(logFile, line); ... fs.writeFileSync(stateFile, JSON.stringify(state, null, 2));
Choose an appropriate log directory, avoid logging secrets, review generated logs/state files, and delete them when no longer needed.