Cc Godmode 5.11.3
v1.0.0Self-orchestrating multi-agent development workflows. You say WHAT, the AI decides HOW.
⭐ 0· 79·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (multi-agent orchestration for development workflows) match the SKILL.md content: the doc describes orchestrator/subagents that run shell commands, grep codebases, call GitHub, run Playwright, etc. That runtime behaviour is coherent with the purpose. Minor inconsistency: registry-level top-line metadata (no required env vars/binaries) differs from SKILL.md and clawdis.yaml which declare runtime.requires_binaries/credentials/network = true and list optional runtime credentials (e.g., GH_TOKEN, Claude auth). This difference appears to be a packaging/manifest mismatch rather than malicious, but it is worth noting.
Instruction Scope
The SKILL.md instructs agents to execute shell commands (bash, grep, tsc, gh), read and write project files (including paths like ~/.claude/agents/ and skill directories), invoke network calls (WebFetch/WebSearch, GitHub API), and run test tooling (Playwright, Lighthouse). These actions are within an orchestrator's remit, but they give the agent potential access to repository contents, local files and remote services. If the runtime agent is granted credentials or system access, these instructions could be used to modify code, create PRs, push changes, or transmit data — so you must control which credentials and permissions the agent has at runtime.
Install Mechanism
Instruction-only skill with no install-time executable payload and no install spec — low install-time risk. Nothing is downloaded or written by an installer in the package itself.
Credentials
The registry shows no required env vars, but the skill documentation and clawdis.yaml declare optional runtime credentials (GH_TOKEN, Claude/Anthropic auth, MCP auth) and list required runtime binaries (bash, git, grep) for full workflows. These credentials and binaries are plausible and proportionate for GitHub operations, CLI-driven tests, and multi-agent orchestration — but they are powerful. The skill doesn't demand an install-time secret, but if you provide GH_TOKEN/CLAUDE creds to the agent at runtime, those tokens could be used by the orchestrated agents.
Persistence & Privilege
Skill does not request always:true and does not bundle persistent installers. Autonomous invocation by the agent is allowed (default platform behaviour) — appropriate for an orchestrator. Combine this normal autonomy with the above runtime capabilities cautiously (e.g., avoid giving broad tokens/permissions).
Assessment
This skill is documentation-only and appears to be what it says: an orchestration guide that tells the agent how to run multi-agent development workflows. The main risk is runtime, not install-time. Before using it: 1) Review SKILL.md fully to understand what the agents will do (they can run bash, grep, tsc, gh, Playwright, WebFetch). 2) Do not provide high-privilege credentials (GH_TOKEN, server auth, etc.) to the agent unless you trust it — prefer least privilege tokens (read-only or repo-scoped) and test in a sandbox repository. 3) Run initial workflows with network access restricted (or with a non-production account) to observe behavior. 4) Be aware that rules like “NEVER git push without permission” are advisory; nothing in the documentation enforces them automatically. 5) If you need stronger assurance, run the orchestrator in an isolated environment (CI runner or disposable VM) and audit logs and commits created by the agent before giving broader access.Like a lobster shell, security has layers — review code before you run it.
latestvk977qwhppmhac35dhjwbs4fhkd83jstz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🚀 Clawdis