BMAD Orchestrator
WarnAudited by ClawScan on May 10, 2026.
Overview
The BMAD workflow is coherent, but it asks the agent to run Claude Code on a remote VM with permission checks bypassed, automate code changes and commits, and create recurring monitoring.
Use this only if you intentionally want OpenClaw to drive Claude Code on a dev VM. Replace the example host/user, run in an isolated branch or sandbox VM, pin the Claude Code package, avoid permission-skipping unless you accept the risk, require manual review before commits, and confirm any cron monitor is removed afterward.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Claude Code could make file, shell, or project changes on the VM without asking for approval for each risky action.
The setup launches Claude Code with permission checks bypassed and then sends keystrokes to accept the permission prompt, reducing action-level user control.
npx @anthropic-ai/claude-code --dangerously-skip-permissions ... # Accept permissions (select option 2)
Avoid using --dangerously-skip-permissions by default. Run in a sandbox or isolated branch, require explicit user approval for high-impact actions, and review diffs before accepting changes.
A mistaken generated change could be committed and then compounded across later stories or epics.
The workflow automates repeated code implementation and commits across stories without clearly requiring a branch, rollback plan, or user review gate before each commit.
For each epic, for each story: ... Dev Story ... implements code + tests ... Commit after each story
Use a dedicated branch, require per-story diff review and test results, and ask the user before each commit or merge.
The exact Claude Code package version used may change over time, making behavior harder to audit.
The instructions rely on npx package execution without a pinned version or install manifest; this is purpose-aligned but not provenance-locked.
npx @anthropic-ai/claude-code --dangerously-skip-permissions
Install and pin a trusted Claude Code version, verify the package source, and avoid automatic npx downloads in privileged environments.
Monitoring could continue longer than expected or report stale/sensitive terminal output if not removed.
The recurring monitor is disclosed and tied to progress reporting, but it persists outside the immediate chat session unless cleanup works as intended.
Set up a cron job to monitor Claude Code progress every 15 minutes. Report status updates to user via chat.
Create the cron job only with explicit user consent, document its location, and verify that it is removed when the task completes.
If run with a powerful SSH account, the agent can affect more of the VM than just the intended project.
The skill expects SSH access to a VM under a user account, including example host and user values that must be replaced or constrained.
VM_HOST="10.0.0.189" ... VM_USER="hrexed" ... ssh ${VM_USER}@${VM_HOST}Use a dedicated least-privilege VM account, replace example host/user values, and restrict access to the intended project directory.
Confidential project details may be processed in the Claude Code environment and by the configured provider workflow.
Project ideas, PRDs, architecture, and implementation context are intentionally passed between OpenClaw and Claude Code/BMAD agent workflows.
Orchestrate ... across OpenClaw ↔ Claude Code ... Party Mode ... multiple BMAD agents debate the topic
Only share data that is allowed for that environment, avoid secrets in prompts or artifacts, and confirm provider/workspace data handling policies.