Agent Factory
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may not be installing or reviewing the package identity they expect, which weakens trust in updates and provenance.
This embedded metadata conflicts with the registry metadata shown for owner, slug, and version; SKILL.md also documents installing 'sub-agent-factory' while the evaluated registry slug is 'agent-factory-100'.
"ownerId": "kn725q11g4d88mxsn46ghhf7qx81nj3s", "slug": "sub-agent-factory", "version": "1.1.0"
Verify the publisher and intended slug before installing; the package should be republished with consistent registry metadata, _meta.json, and installation instructions.
A crafted or accidental agent name could create directories or overwrite a SKILL.md outside the intended agents folder.
The script builds filesystem paths directly from the user-controlled agent name and overwrites SKILL.md without validating against '..', slashes, absolute paths, or existing files.
NAME=$1 DIR="agents/$NAME" mkdir -p "$DIR/inbox" "$DIR/outbox" "$DIR/workspace" ... cat <<EOM > "$DIR/SKILL.md"
Only use simple safe agent names, run the script in a disposable workspace, and update the script to reject path separators, '..', absolute paths, and existing target files.
Anything placed in an agent's inbox may be treated as an instruction, and outputs written to outbox may be read or reused later.
The generated agent definition relies on file-based inbox/outbox communication, but the artifacts do not define message origin, trust boundaries, or access controls for those folders.
Read instructions from ./inbox and write outputs to ./outbox.
Keep each agent's inbox/outbox private to the task, avoid placing secrets there, and review messages before letting an agent act on them.