Agent Orchestrator 0.1.0
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about being a meta-agent, but it can spawn autonomous sub-agents with broad tools and dynamically generated instructions without clear limits or approval gates.
Install only if you intentionally want autonomous multi-agent delegation. Use a dedicated workspace, avoid secrets unless necessary, review generated sub-agent SKILL.md files, verify any helper scripts before running them, set limits on agent count/runtime/tools, and clean up agent workspaces after completion.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Multiple autonomous agents could operate in parallel, consume resources, and read or write workspace files beyond what the user expected for a single request.
The skill instructs the main agent to launch general-purpose autonomous sub-agents and monitor them minimally, without specifying a maximum agent count, time limit, approval gate, or hard stop.
Spawning the agent using the Task tool ... subagent_type="general-purpose" ... For fully autonomous agents, minimal monitoring is needed
Use only with explicit user approval for each orchestration plan; require max agent count, time limits, tool allowlists, generated-skill review, and a clear shutdown/cleanup step.
A delegated sub-agent could modify files or run local commands as part of a generated task, which can have side effects if the task or workspace is poorly scoped.
Sub-agent templates can grant broad filesystem and shell capabilities, and the artifacts do not require per-command approval or constrain which paths and commands may be used.
Tools Available - Read/Write/Edit: File operations - Bash: Execute commands, run tests
Review generated sub-agent instructions before launch, restrict tools per subtask, keep all work inside a dedicated workspace, and require confirmation for shell commands or file edits outside that workspace.
If a user or agent obtains similarly named scripts elsewhere, their behavior would be outside this review.
The core workflow references helper scripts such as create_agent.py and dissolve_agents.py, but the supplied manifest contains no scripts or code files, so those helpers were not reviewable here.
python3 scripts/create_agent.py <agent-name> --workspace <path>
Do not run external helper scripts unless their source is trusted and their contents have been reviewed; prefer replacing these steps with transparent, user-approved file operations.
Incorrect or tampered files in the workspace could be treated as legitimate inter-agent messages or task context.
The optional inter-agent message queue is plain file-based messaging with sender fields, but no stated integrity, origin, or permission checks.
orchestrator-workspace/messages/{agent-a}_to_{agent-b}_001.json ... "from": "agent-a", "to": "agent-b"Keep the workspace private, validate message filenames and contents, and treat inter-agent messages as untrusted data unless produced by the expected agent.
A bad intermediate result can propagate into later agents and affect the final consolidated output.
The protocol intentionally feeds one agent's outputs into later agents and supports parallel execution, but it does not describe validation gates before dependent agents consume those outputs.
Copy dependency outputs to agent inbox ... Spawn all independent agents at once
Add validation checkpoints between dependency stages, require human review for high-impact outputs, and isolate failed or uncertain agent results before reuse.