Skillv1.1.1

ClawScan security

Matz Swarm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 1:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code matches its stated orchestration purpose, but it contains several operational mismatches and risky instructions (automatic merge-on-intent, CLI flags that bypass agent permissions, undeclared credential requirements, and filesystem writes) that merit caution before installation.
Guidance: What you should consider before installing: - Read the scripts top-to-bottom. This skill will create worktrees, run tmux sessions, change files (tasks.json, registry.json, Obsidian notes/context.md), push branches, create/merge MRs, and delete worktrees/logs. Back up repositories and notes before running. - Credentials: the scripts expect authenticated CLIs (claude/codex OAuth config, glab/gh auth, and openclaw or webhook config). The skill metadata does not declare these env vars — you must ensure tokens are scoped and stored safely (use least privilege tokens for the Git provider and notification system). - Dangerous CLI flags: the code deliberately uses flags like --dangerously-skip-permissions and --dangerously-bypass-approvals-and-sandbox to bypass approval/trust dialogs for automation. If you plan to use this, remove or audit those flags so automated agents cannot bypass safety sandboxes. - Automatic merges: the SKILL.md maps simple user intents (e.g., user replies "merge") to immediate merge-and-sync actions without confirmation. If you need human review, modify the Intent→Action mapping or disable autonomous invocation/require explicit confirmations for merges. - Testing: run the system in an isolated test account/repo first. Configure cron disabled until you have verified behavior. Limit notification targets (e.g., set notifyMethod to none) until you trust behavior. - Minimal changes: if you want the orchestration but safer defaults, consider edits: remove 'dangerous' CLI flags, require manual approval before merging, add explicit declared required env vars in the skill metadata, and tighten the notification delivery paths. If you want, I can produce a concise list of edits to the scripts to harden default behavior (disable dangerous flags, add confirmation prompts for merging, and declare expected env vars).

Review Dimensions

Purpose & Capability: noteThe name/description (agent swarm for multi-project automation) aligns with the shipped scripts: spawning worktrees, running coding/review agents, creating MRs, syncing main, and writing back to Obsidian/task files. Expected tools (claude, codex, glab/gh, tmux, jq, python3) are referenced in the docs and scripts. Minor coherence issue: registry metadata lists no required env vars/credentials even though the runtime depends on authenticated CLIs (claude, codex, glab/gh, openclaw) and local config files (~/.claude.json, glab auth).
Instruction Scope: concernSKILL.md + scripts instruct the agent to take immediate actions for mapped user intents (e.g., when user replies "merge" to a PR_READY notification, run merge-and-sync.sh without confirmation). The scripts modify local repos, worktrees, registry.json, tasks.json, and Obsidian notes. They also call coding/review CLIs with explicit flags that bypass safety/permission dialogs (e.g., claude --dangerously-skip-permissions, codex exec --dangerously-bypass-approvals-and-sandbox). Those 'dangerously' CLI options plus instruction-to-act-immediately broaden the blast radius; the instructions also spawn autonomous tmux sessions to run agents and perform git push/merge operations.
Install Mechanism: okNo external download/install spec is provided — the skill is instruction-plus-scripts and the README shows a portable install (copy scripts to ~/agent-swarm). That is low risk from supply-chain perspective since nothing is being downloaded during install by the skill itself. The included scripts will be written to the filesystem when the user follows the portable install steps.
Credentials: concernRegistry metadata declares no required env vars or primary credential, but the runtime needs authenticated CLIs and local config: ~/.claude.json and ~/.claude/settings.json (OAuth/trust), glab/gh authentication for repo/MR actions, and openclaw or webhook configuration for notifications. The skill also supports SWARM_* env overrides. The absence of declared required credentials is a coherence issue — the skill will need privileged tokens (git provider, Claude/Codex auth, openclaw webhook or account) to function and could act using those credentials.
Persistence & Privilege: concernalways:false, but the skill instructs the agent to perform automated merges and other repo-modifying actions immediately on certain intents without interactive confirmation; together with default autonomous-invocation behavior this materially increases risk. The scripts perform persistent changes to user files and repos (tasks.json, registry.json, Obsidian notes, worktrees), can remove worktrees, and will push and merge code — these are high-privilege filesystem and VCS operations within the scope of the described purpose and should be gated by confirmations or limited scopes.