v1.0.0

AI Swarm Orchestration

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:00 AM.

Analysis

This is a disclosed but very powerful autonomous coding swarm that can run AI coding agents with permission bypasses and automatically integrate code, so it should be reviewed carefully before installation.

GuidanceUse this skill only if you want a highly autonomous coding swarm. Install it in a trusted, isolated workspace; inspect the scripts; use disposable branches or forks; protect main with required reviews; avoid permission-bypass flags where possible; scope provider/GitHub credentials; and require a human final approval before merge or deploy.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

metadata

Source: unknown; Homepage: none ... Required binaries ... none ... Install specifications: No install spec

The skill is high-impact executable shell automation, but the registry metadata gives no provenance, homepage, install contract, required binaries, or credential declarations.

User impactA user may install powerful automation without a clear source of trust or a complete dependency/credential contract.

RecommendationOnly install from a trusted source, review the shell scripts directly, and require the package to declare its required tools and credentials.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

references/TOOLS.md

Claude | `claude --model X --dangerously-skip-permissions -p "prompt"` ... Codex | `codex --model X --dangerously-bypass-approvals-and-sandbox "prompt"`

The documented agent commands bypass normal approval and sandbox protections while giving coding agents repository and shell-level authority.

User impactSpawned agents could modify files, run commands, or make repo changes without the normal per-action safety prompts.

RecommendationUse this only in trusted repositories, avoid bypass/full-auto modes where possible, and require manual approval for destructive commands and final merges.

Cascading Failures

SeverityHighConfidenceHighStatusConcern

references/ROLE.md

Auto-merge to main, update ESR, notify WB

The integration phase can automatically merge parallel agent work into the main branch after the swarm completes.

User impactA bad agent change, merge conflict resolution, or flawed review can propagate into the main branch and downstream CI/deployments.

RecommendationAdd a mandatory human final-merge gate, protect main branches, and run the swarm first on disposable branches or forks.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/integration-watcher.sh

# Check verdict file; auto-infer if missing (watcher decides) ... `Integration review auto-passed ... clean exit, no issues indicated`

The script can treat a missing mandatory review verdict as a successful review, which may overstate assurance.

User impactA user may be told integration passed even when the reviewing agent did not produce the required verdict file.

RecommendationFail closed when verdict files are missing and require explicit review output before merge or notification of success.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

SKILL.md

Launches agents in tmux sessions ... Starts per-agent completion watchers ... Starts integration watcher (auto-merge when all done)

Detached agents and watchers are central to the skill and disclosed, but they continue acting asynchronously after the user starts the workflow.

User impactAgents may keep working, reviewing, notifying, or integrating while the user is no longer actively supervising the session.

RecommendationMonitor tmux sessions, know how to stop watchers, and use repository protections to limit what background agents can change.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

references/duty-table-template.json

"claude": { "cli": "claude", "auth": "oauth" ... "codex": { "cli": "codex", "auth": "oauth" ... "gemini": { "cli": "gemini", "auth": "oauth"

The swarm uses locally authenticated AI provider accounts, while the registry metadata does not declare a primary credential.

User impactThe automation may consume quota and act through the user's authenticated AI accounts.

RecommendationUse dedicated low-privilege accounts or profiles where possible, and confirm which provider credentials and quotas the CLIs will use.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

scripts/integration-watcher.sh

All work logs are persisted to <project>/docs/history/ ... The following work logs were written by builder and reviewer agents ... USE THEM

Agent-written work logs are persisted and later reused as integration context, which is useful but can carry poisoned instructions or sensitive project details.

User impactPrivate project context may be stored in logs and reused by later agents; malicious or mistaken log content could influence integration decisions.

RecommendationTreat agent logs as untrusted context, review persisted summaries, and avoid including secrets or private notes in prompts and logs.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/integration-watcher.sh

openclaw message send --channel "$NOTIFY_CHANNEL" --target "$NOTIFY_TARGET" --message "$msg"

The skill can send swarm status and integration messages through an external notification channel.

User impactTask names, project names, branch status, or review summaries may be sent to Telegram or another configured channel.

RecommendationConfigure notification targets carefully and avoid sending sensitive code or secret-bearing summaries through chat channels.