ClawHub

Subagent Isolation Guard

v1.0.0

固化子代理物理隔离与语义路由旁路。防止跨代理上下文污染及由于语义路由导致的子代理切模/重置问题。

0· 303·2 current·2 all-time
by@halfmoon82
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match the content of SKILL.md: it proposes workspace isolation and a routing-bypass for subagents. It does not request unrelated credentials, binaries, or installs, so required capabilities align with the stated purpose.
!
Instruction Scope
SKILL.md instructs modifying runtime logic (semantic-webhook-server.py) to detect a session_key marker ':subagent:' and 'bypass' semantic routing by returning 'continue' and not injecting declarations or model suggestions. This is within the stated goal but is operationally dangerous: it creates an explicit bypass in routing logic and relies on a simple string marker that can be spoofed unless additional safeguards (authentication, signature, or unforgeable session tokens) are enforced. The instructions are also vague about implementation details and access controls.
Install Mechanism
Instruction-only skill with no install spec or code to download. No files are written by the skill itself, minimizing installer-related risk.
Credentials
No environment variables, credentials, or config paths are requested. The absence of extra secrets is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; however, its runtime guidance expects operators to modify server code and configuration (AGENTS.md and semantic-webhook-server.py). Those actions require write privileges and careful change control — the skill implicitly assumes the ability to edit server-side routing code and agent configuration, which elevates operational privilege requirements.
What to consider before installing
This instruction-only skill is coherent for hardening subagent isolation, but it asks you to add a routing bypass and require session IDs to contain ':subagent:'. Before implementing: (1) perform a code review of semantic-webhook-server.py changes and restrict who can edit it and AGENTS.md; (2) avoid relying on a plain string marker — require authenticated, signed, or unforgeable session tokens (not just a prefix) so attackers cannot spoof ':subagent:'; (3) add logging, monitoring, and audits for all bypassed requests; (4) test thoroughly in a staging environment to ensure the bypass doesn't let untrusted inputs evade policy or model-safety checks; (5) consider safer alternatives (e.g., mutual TLS, signed JWT session claims, or an allowlist tied to agent identities) if you need robust isolation. If you cannot enforce these controls, treat deploying this bypass as high risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk977tapj8mzx37kxxq18nm9ffs82bze7
303downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@halfmoon82
latest
Download

🛡️ Subagent Isolation Guard

固化子代理物理隔离与语义路由旁路。

🎯 解决的问题

  1. 上下文污染:防止不同子代理共享同一个 workspace 导致文件读写冲突和上下文干扰。
  2. 路由递归/切模:防止主代理的语义路由逻辑应用到子代理会话,导致子代理被强制切换模型或清空上下文。

🛠️ 核心机制

1. 物理隔离 (Workspace Isolation)

所有子代理必须配置独立的 agentDir

  • agents/pm/workspace/
  • agents/architect/workspace/
  • ...

2. 语义路由旁路 (Routing Bypass)

semantic-webhook-server.py 中通过 session_key 特征码检测实现自动旁路:

  • 识别特征::subagent:
  • 处理动作:直接返回 continue,不注入声明,不执行模型建议。

📝 固化规则 (AGENTS.md)

在创建或修改子代理时,必须确保:

  • allowAgents 列表完整。
  • 每个子代理都有明确的、不重叠的 agentDir
  • 子代理会话 ID 必须包含 :subagent: 标识。

Comments

Loading comments...