ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Matz Swarm

v1.1.1

Orchestrate OpenClaw Agent Swarm workflows for multi-project coding automation with Obsidian task intake, Claude coding, Codex review, GitLab MR flow, merge+...

0· 361·1 current·1 all-time
by@matzoh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (agent swarm for multi-project automation) aligns with the shipped scripts: spawning worktrees, running coding/review agents, creating MRs, syncing main, and writing back to Obsidian/task files. Expected tools (claude, codex, glab/gh, tmux, jq, python3) are referenced in the docs and scripts. Minor coherence issue: registry metadata lists no required env vars/credentials even though the runtime depends on authenticated CLIs (claude, codex, glab/gh, openclaw) and local config files (~/.claude.json, glab auth).
!
Instruction Scope
SKILL.md + scripts instruct the agent to take immediate actions for mapped user intents (e.g., when user replies "merge" to a PR_READY notification, run merge-and-sync.sh without confirmation). The scripts modify local repos, worktrees, registry.json, tasks.json, and Obsidian notes. They also call coding/review CLIs with explicit flags that bypass safety/permission dialogs (e.g., claude --dangerously-skip-permissions, codex exec --dangerously-bypass-approvals-and-sandbox). Those 'dangerously' CLI options plus instruction-to-act-immediately broaden the blast radius; the instructions also spawn autonomous tmux sessions to run agents and perform git push/merge operations.
Install Mechanism
No external download/install spec is provided — the skill is instruction-plus-scripts and the README shows a portable install (copy scripts to ~/agent-swarm). That is low risk from supply-chain perspective since nothing is being downloaded during install by the skill itself. The included scripts will be written to the filesystem when the user follows the portable install steps.
!
Credentials
Registry metadata declares no required env vars or primary credential, but the runtime needs authenticated CLIs and local config: ~/.claude.json and ~/.claude/settings.json (OAuth/trust), glab/gh authentication for repo/MR actions, and openclaw or webhook configuration for notifications. The skill also supports SWARM_* env overrides. The absence of declared required credentials is a coherence issue — the skill will need privileged tokens (git provider, Claude/Codex auth, openclaw webhook or account) to function and could act using those credentials.
!
Persistence & Privilege
always:false, but the skill instructs the agent to perform automated merges and other repo-modifying actions immediately on certain intents without interactive confirmation; together with default autonomous-invocation behavior this materially increases risk. The scripts perform persistent changes to user files and repos (tasks.json, registry.json, Obsidian notes, worktrees), can remove worktrees, and will push and merge code — these are high-privilege filesystem and VCS operations within the scope of the described purpose and should be gated by confirmations or limited scopes.
What to consider before installing
What you should consider before installing: - Read the scripts top-to-bottom. This skill will create worktrees, run tmux sessions, change files (tasks.json, registry.json, Obsidian notes/context.md), push branches, create/merge MRs, and delete worktrees/logs. Back up repositories and notes before running. - Credentials: the scripts expect authenticated CLIs (claude/codex OAuth config, glab/gh auth, and openclaw or webhook config). The skill metadata does not declare these env vars — you must ensure tokens are scoped and stored safely (use least privilege tokens for the Git provider and notification system). - Dangerous CLI flags: the code deliberately uses flags like --dangerously-skip-permissions and --dangerously-bypass-approvals-and-sandbox to bypass approval/trust dialogs for automation. If you plan to use this, remove or audit those flags so automated agents cannot bypass safety sandboxes. - Automatic merges: the SKILL.md maps simple user intents (e.g., user replies "merge") to immediate merge-and-sync actions without confirmation. If you need human review, modify the Intent→Action mapping or disable autonomous invocation/require explicit confirmations for merges. - Testing: run the system in an isolated test account/repo first. Configure cron disabled until you have verified behavior. Limit notification targets (e.g., set notifyMethod to none) until you trust behavior. - Minimal changes: if you want the orchestration but safer defaults, consider edits: remove 'dangerous' CLI flags, require manual approval before merging, add explicit declared required env vars in the skill metadata, and tighten the notification delivery paths. If you want, I can produce a concise list of edits to the scripts to harden default behavior (disable dangerous flags, add confirmation prompts for merging, and declare expected env vars).

Like a lobster shell, security has layers — review code before you run it.

latestvk971vmfk8q6yeg9ekkf57tk8hn82en0h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments