Warp Oz
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill with your token can start and manage Warp Oz agent work within the token's permissions.
The skill requires a Warp API key to act against the user's Warp Oz account. This is expected for the integration, but it is delegated account authority.
"env": ["WARP_API_KEY"] ... "Warp Oz API Bearer token (wk-*). Get from app.warp.dev → Settings → API Keys."
Use a dedicated or least-privileged Warp API key if available, keep it out of chat logs, and revoke it if you no longer need the skill.
A broad or mistaken prompt could launch unwanted cloud work, affect repository workflows, or consume account resources.
The wrapper exposes broad API operations for cloud agents. This is the skill's advertised purpose, but those operations can create, cancel, inspect, and manage cloud coding runs.
`oz-api.sh` — bash wrapper covering every Oz API endpoint (runs, polls, schedules, artifacts, agents)
Review the exact command, environment ID, prompt, and target skill before running agent jobs, especially for repository-changing work.
Scheduled agents may run later, potentially consuming resources or changing repository state if the schedule is left enabled.
The script can create enabled cron schedules for agents. This is documented and user-invoked, but it creates activity that can continue after the initial chat.
cmd_schedule_create() ... local prompt="" cron="" env_id="" name="" base_prompt="" enabled="true" ... api_call_verbose POST "/agent/schedules" -d "$json"
Create schedules only intentionally, use clear names, review schedule lists periodically, and pause or delete schedules that are no longer needed.
Incorrect, sensitive, or adversarial content from one stage could be reused by later stages or carried through a shared sandbox.
The orchestrator forwards one stage's status message and session link into the next stage's prompt. This is expected for multi-agent pipelines, but prior agent output can influence later agents.
Summary: {prev.status_message}\nSession: {prev.session_link}\n\nContinue the work.Inspect intermediate results for sensitive or suspicious content, and use isolated conversations when appropriate, such as the documented `--no-conversation` option.