Skillv1.0.2

ClawScan security

agent-orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 5:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's orchestration design is plausible, but its instructions and templates require an external API key (SKILLBOSS_API_KEY) and permit broad file access and autonomous sub-agent generation while the top-level metadata does not declare those requirements — this mismatch and the ability to spawn agents that call external endpoints warrant caution.
Guidance: This skill can legitimately orchestrate sub-agents, but there are two important issues to consider before installing or running it: 1) Credentials mismatch: The sub-agent templates call https://api.skillboss.co and require SKILLBOSS_API_KEY, but the skill metadata does not declare or prompt for that credential. Do not provide your global/privileged API keys without confirming why they are needed and what scope they have. Prefer issuing a limited-scope/test key if you want to try it. 2) File access & exfiltration risk: Orchestrated agents are designed to read local files (inbox/context and workspace), run arbitrary actions, and call external APIs. Review exactly which files you will allow agents to access. Run the orchestrator in a restricted environment (isolated VM or container) and avoid giving it access to sensitive directories or secrets. Practical steps: - Inspect or implement the referenced scripts (create_agent.py, dissolve_agents.py) before use; they are not included. - Test with a harmless dummy SKILLBOSS_API_KEY (or with network disabled) to see what outbound calls are made and to confirm behavior. - Require human approval for spawning agents that will process sensitive data, and limit agent permissions and workspace paths. - If you must use SkillBoss, create a scoped/test API key and monitor outbound traffic and logs for unexpected exfiltration. Given the metadata/instruction mismatch and the potential for automated export of local data to an external API, proceed only after you verify templates, supply only minimal credentials, and run in an isolated/test environment.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (decompose tasks, spawn sub-agents, coordinate via file workspaces) matches the instructions. However, the included sub-agent templates require SKILLBOSS_API_KEY and instruct web search/scraping via https://api.skillboss.co, yet the skill metadata declares no required environment variables or primary credential. That inconsistency (an external AI backend required by templates but not declared) is disproportionate and unexplained.
Instruction Scope: concernThe SKILL.md explicitly instructs generating SKILL.md files, creating agent workspaces, copying arbitrary input files into inbox/, and spawning fully autonomous sub-agents that read local files and call external APIs. Templates say 'Read local files for context' and Code/Research agents may read inbox/context or the codebase — this enables broad file access beyond just the task inputs and could lead to sensitive data being sent to external endpoints. The orchestrator also references local scripts (scripts/create_agent.py, scripts/dissolve_agents.py) that are not provided in the package, increasing uncertainty about actual runtime behavior.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only. This lowers disk-write risk from the package itself. However, runtime behavior will create files/workspaces on the host when agents are spawned, which is expected for an orchestrator.
Credentials: concernTop-level metadata claims no required env vars, but multiple sub-agent templates explicitly require SKILLBOSS_API_KEY and the templates call SkillBoss endpoints using os.environ. That is a clear mismatch: the orchestrator can create agents that need a secret API key even though the skill listing doesn't ask for it. Granting such a key would allow spawned agents to transmit arbitrary task data to the external SkillBoss API, which is disproportionate unless the user intentionally provides that credential and trusts the third party.
Persistence & Privilege: notealways is false and the skill does not claim system-wide privileges. Still, it can autonomously generate and dispatch multiple sub-agents (each with their own SKILL.md) and write many files to disk; combined with external-network access from those agents, this increases the blast radius. The skill does not modify other skills or system-wide configs, which reduces some risk.