ClawHub
Back to skill
v1.0.13

Project Coordinator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:26 AM.

Analysis

This appears to be a legitimate project-orchestration skill, but it gives autonomous subagents broad ability to run commands and change workspace files, so it should be reviewed before use.

GuidanceInstall this only if you want an agent to coordinate substantial project work through additional autonomous sessions. Before using it, set clear project boundaries, require approval for destructive or external actions, avoid sharing secrets, and monitor spawned coordinators/subagents until they stop.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
The Coordinator SHOULD directly call tools:
- `exec` — run commands, check files
- `write` — create output files
- `read` — examine code or documents
- `sessions_spawn` — spawn subagents for parallel work

This explicitly authorizes the coordinator to run shell commands, write files, read workspace content, and create additional agents. Those capabilities are aligned with project execution, but the instructions do not clearly bound command types, paths, destructive actions, or user approval.

User impactA coordinator or subagent could change project files or run broad workspace commands while pursuing a task, and mistakes could affect code, documents, or local project state.
RecommendationUse this only for projects where autonomous workspace changes are acceptable. Require explicit user approval for destructive commands, commits, installs, network actions, publishing, or changes outside a clearly named project directory.
Human-Agent Trust Exploitation
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
Subagent sandboxing: When spawning subagents, each subagent runs in an isolated sandbox with workspace-only filesystem access. Subagents cannot access credentials, environment variables, or session transcripts outside their scope. Network access is restricted per platform policy.

The skill presents strong containment and credential-safety guarantees, but the provided instruction-only artifacts do not define or enforce those controls while also granting exec/read/write/spawn authority.

User impactUsers may over-trust the claimed sandbox and provide sensitive project data or allow broad command execution without verifying actual platform restrictions.
RecommendationTreat the sandbox and credential-access statements as assumptions to verify in the host platform. Avoid giving secrets to this workflow and set explicit boundaries for file access, network use, and command execution.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
For long-running projects: Coordinator can spawn child Coordinators for sub-phases

The skill supports nested and potentially long-running agent sessions. It also states that coordinators should stop when complete, which reduces the concern, but users should still notice the autonomous session-spawning behavior.

User impactComplex projects may create multiple active agent sessions that continue working until the project or sub-phase is considered complete.
RecommendationMonitor spawned sessions, use clear project labels, and stop coordinators or subagents that are no longer needed.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
git clone https://github.com/KaigeGao1110/Project-Coordinator.git ~/.openclaw/skills/project-coordinator
...
curl -L https://github.com/KaigeGao1110/Project-Coordinator/archive/refs/heads/main.zip

The installation documentation includes unpinned GitHub branch downloads. These are user-directed setup instructions, not automatic execution, but the downloaded contents may differ from the reviewed registry artifact over time.

User impactInstalling from the moving GitHub main branch could install a different version than the one reviewed here.
RecommendationPrefer the registry package or a pinned commit/tag, and review the installed SKILL.md before enabling it.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Receive completion announcements via inter-session messages

The project context and task outputs are expected to move between the main session, coordinator, and subagents. This is central to the skill, but it means project data is shared across agent sessions.

User impactInformation included in a project request may be propagated to spawned coordinator and subagent sessions.
RecommendationDo not include unnecessary secrets in project descriptions or subagent tasks, and keep task scopes and labels specific.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
The archive-subagent uses the archive-project skill to handle:
- Locating the correct session transcripts
- Sanitizing credentials
- Writing ARCHIVE.md
- Committing to workspace

The skill can persist project history into a workspace archive when requested. This is disclosed and purpose-aligned, but archived summaries or transcripts can retain sensitive context or instructions for later reuse.

User impactProject records may remain in the workspace after the session ends and could be read or reused later.
RecommendationReview ARCHIVE.md before keeping or committing it, and confirm that credentials and sensitive notes were removed.