Agent Swarm Orchestrator
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real coding automation skill, but it can keep running in the background and use your coding/Git accounts to change, push, and merge code with normal approvals disabled.
Install only if you intentionally want continuous autonomous coding agents acting on your repositories. Use dedicated low-privilege Git and AI-provider accounts, remove dangerous approval-bypass flags where possible, keep cron disabled until tested, require confirmation before merge/push-sensitive actions, trust and review your Obsidian task source, and back up worktrees before enabling cleanup.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An ambiguous or accidental merge request response could cause code to be merged and local main to be synced under the user's Git account.
The skill tells the agent to perform a repository merge action immediately from a short intent phrase, without a second confirmation or review of MR details.
When a user message matches one of these intents, take the corresponding action immediately without asking for confirmation ... "merge it" ... run `merge-and-sync.sh <project> <mr-iid>`
Require an explicit confirmation step showing project, MR number, title, CI status, and target branch before any merge or destructive sync action.
If untrusted or synced Obsidian/task content is processed, it may be able to trigger unintended local Python execution in the background monitor.
Task data is shell-expanded directly into Python source in an unquoted heredoc. A crafted task description containing Python string delimiters could break out of the string when the cron monitor runs.
python3 - << PYEOF ... task_desc = r'''$DESC'''
Pass task data to Python through argv, stdin JSON, or environment variables, and use quoted heredocs so shell interpolation cannot alter Python code.
The skill can keep launching and managing coding agents in the background whenever configured notes change to ready status.
The documented setup establishes recurring cron jobs that continue scanning notes, checking agents, sending notifications, and cleaning worktrees after installation.
*/3 * * * * ~/agent-swarm/scripts/check-agents.sh */5 * * * * ~/agent-swarm/scripts/scan-obsidian.sh 0 3 * * * ~/agent-swarm/scripts/cleanup.sh
Install cron jobs only after dry-run testing, keep a clear disable switch, and review pending Obsidian tasks before enabling background scans.
The automation may act with the user's existing Claude, Codex, GitLab/GitHub, and OpenClaw privileges rather than a narrowly scoped service account.
The skill depends on local authenticated CLI profiles and asks for disabled Claude permission prompts, while its account actions include coding, pushing, MR creation, repo creation, and merge flows.
- Authenticated via OAuth (`~/.claude.json` oauthAccount) - `~/.claude/settings.json`: `skipDangerousModePermissionPrompt: true` - `glab` CLI (GitLab)
Use dedicated low-privilege accounts or tokens limited to test repos, and declare required credentials and scopes clearly before installation.
A status bug or premature cleanup could delete local task worktrees before the user has finished reviewing or merging the work.
The daily cleanup path can force-remove worktrees for tasks marked ready_to_merge or with missing task status, not only definitively completed tasks.
[ "$TASK_STATUS" = "ready_to_merge" ] ... git worktree remove -f "$WORKTREE_DIR" ... rm -rf "$WORKTREE_DIR"
Only remove worktrees after confirmed merge/done status, verify a clean pushed branch, add an age threshold, and prefer dry-run logs before deletion.
Bad instructions or secrets placed in context.md may be reused across tasks and sent to coding/review providers.
Persistent project context is loaded into future coding-agent prompts, so stale or poisoned context can steer later autonomous work.
[ -f "$CONTEXT_FILE" ] && CONTEXT_SECTION=$(cat "$CONTEXT_FILE") ... echo "${CONTEXT_SECTION}"Keep context files trusted, reviewed, and free of secrets; treat Obsidian and context.md as inputs that can control agent behavior.
Task descriptions or MR links may leave the local machine through the configured notification channel.
Notifications are sent to configured OpenClaw/Telegram or webhook targets, carrying task summaries, MR URLs, and other workflow metadata.
openclaw message send --channel "$SWARM_NOTIFY_CHANNEL" --target "$SWARM_NOTIFY_TARGET" --message "$msg" ... curl -s -X POST "$SWARM_NOTIFY_TARGET"
Configure only trusted notification targets and avoid putting secrets or sensitive implementation details in task descriptions.