Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Parallel Thinker
v1.0.0Enables simultaneous queries to multiple expert agents for comprehensive, multi-faceted analysis and synthesizes their insights into a unified response.
⭐ 0· 81·1 current·1 all-time
by@liyico
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's purpose is to parallelize queries to specialized agents and synthesize results, and the implementation does that. However, the runtime script invokes the 'openclaw' CLI (spawn('openclaw', ...)) while the skill metadata lists no required binaries. Declaring the 'openclaw' binary (or equivalent) is expected and missing, which is an incoherence between claimed requirements and actual behavior.
Instruction Scope
SKILL.md and scripts/run.js stay within the stated scope: they read a JSON input, call configured agents in parallel using the OpenClaw CLI, then pass responses to a synthesizer agent. There is no attempt to read arbitrary files or env vars. Note: by default the tool forwards the user's query to multiple agents (default list includes strategist, data-analyst, finance, expert-coder, researcher, synthesizer). That behavior is expected for the stated purpose but may broaden who sees the user's data.
Install Mechanism
There is no install spec (instruction-only with a provided script). No remote downloads or package installs are specified, so no high-risk install action is present. The script will be stored on disk as part of the skill, which is expected.
Credentials
The skill declares no environment variables or credentials, yet it relies on the local 'openclaw' CLI to invoke agents. That CLI will typically use system or agent credentials to make calls. The skill does not declare this dependency or the implicit access it will exercise. Additionally, the default behavior forwards queries to multiple agents which may have different privileges or data access — this broad sharing is not reflected in requires.env and should be explicitly called out.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and does not modify other skills or global agent config. It only executes at invocation, which is appropriate for its purpose.
What to consider before installing
This skill appears to do what it claims (parallelize queries to other agents) but has two practical concerns you should consider before installing:
1) Missing declared dependency: the included script calls the 'openclaw' CLI, but the skill metadata does not list that binary as required. Ensure you have the CLI available and understand what credentials it uses (it will likely use your agent/CLI credentials).
2) Data exposure: by default the tool forwards the user's original question to several agents (and then to a synthesizer). If your query contains sensitive information, it will be shared with all invoked agents. Consider limiting the default agent list, requiring explicit user confirmation before contacting multiple agents, or auditing the policies/trustworthiness of the agents named.
Recommended actions: ask the author to update metadata to declare the 'openclaw' binary requirement and to document which credentials the CLI will use; test the script in a sandboxed environment; and restrict or review the default agent list if you will send sensitive data.scripts/run.js:35
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972h3c2z08hn2emntr24typps83n858localvk972h3c2z08hn2emntr24typps83n858
License
MIT-0
Free to use, modify, and redistribute. No attribution required.