skill-router
WarnAudited by ClawScan on May 10, 2026.
Overview
This router is transparent about its purpose, but it asks to become an all-request gateway that directly runs and chains other skills, including account and deployment actions, without tight boundaries.
Install this only if you intentionally want a meta-orchestrator for other skills. Before using it, restrict which skills it may run, require approval before any side-effecting chain, review downstream skills and credentials, and avoid scheduled or auto-recovery behavior unless you have explicitly configured and tested it.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may route ordinary requests through this skill and trigger extra workflows the user did not explicitly ask for.
This makes the router authoritative for every request rather than only for explicit routing tasks, which can redirect user intent into automatic skill selection and chaining.
First gateway for all requests. Use on every request to determine optimal skill combination.
Use this only with explicit opt-in, or change the instructions so the router runs only when the user asks for routing or approves a proposed chain.
A bad match or unsafe downstream skill could run local commands with the user's workspace permissions.
The skill directs the agent to run matched skill scripts directly while intentionally skipping the full downstream skill body, which may omit safety instructions or approval requirements.
Scan only skills/*/SKILL.md frontmatter ... No full body reading ... Direct script execution with exec ... bash $WORKSPACE/skills/{name}/run.sh [args]Require an allowlist of runnable skills, validate run paths and arguments, review downstream skill instructions before execution, and require confirmation for side-effecting scripts.
Misclassification or an unsafe intermediate result could cause multiple tools or skills to run before the user has reviewed the plan.
The skill describes immediate, parallel, and follow-up tool execution, but the approval boundary is ambiguous and not required for every high-impact chain.
If single → execute skill immediately ... Skills without dependencies execute in parallel (sessions_spawn) ... Auto-trigger additional skills if needed (or request approval)
Show the proposed chain first, require user approval before execution, and require separate approval for public posting, account actions, repository changes, deployments, and recovery actions.
An error in one step could cascade into notifications, reports, recovery attempts, or other actions across the workspace.
One skill's output can automatically trigger additional skills, including an unspecified auto-recovery action, so a wrong or poisoned result can propagate into further changes.
Skill A execution complete → analyze results → auto-determine next skill ... IF health-monitor detects anomaly → THEN attempt auto-recovery + notification-hub(urgent)
Use per-chain containment, validate event sources, make recovery actions dry-run by default, and stop for approval before any state-changing follow-up.
Stale, sensitive, or maliciously written event data could influence later skill chains or expose information between tasks.
The shared persistent event files are used as cross-skill input, but the artifacts do not define origin validation, per-run isolation, retention, or cleanup.
Data between skills saved as JSON events in `events/` folder ... Each skill saves results in `events/latest-{skill-name}.json` format ... Next skill reads that file as inputUse per-run event directories, clear old events, record provenance, validate schemas, and pass only the minimum data needed between skills.
If approved or misrouted, downstream skills could post publicly, send email, or push repository changes using the user's configured accounts.
The router can invoke downstream skills that act through external accounts or repositories. The artifacts disclose some approvals, but the actual account scopes depend on the other installed skills.
insta-post — Instagram upload (requires approval) ... mail — Send report email (requires approval) ... git-auto — Commit + push (only if code-review passes)
Review the downstream skills and their credentials, keep least-privilege tokens, and require explicit approval for every account-affecting action.
The skill could become part of recurring automated routines rather than only responding to immediate user prompts.
The template documents scheduled or automatic operation. No cron installer is included, but if implemented by the agent environment it could run outside a single interactive request.
Trigger: "morning routine", "start today", cron (daily 09:00)
Enable scheduled triggers only with explicit user opt-in, visible configuration, and a simple way to disable them.