v1.0.1

Frugal Orchestrator

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:30 AM.

Analysis

The skill mostly matches its orchestration purpose, but it includes review-worthy automation that can delegate tool calls, persist task data, and push Git changes using local credentials.

GuidanceInstall only if you are comfortable with a skill that routes work to shell/system workflows and sub-agents. Before enabling it, inspect the delegation and scheduler scripts, do not run the Phase 5 automation unless you intend to push Git commits, restrict what files are passed as context, and clear or disable caches for sensitive tasks.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/delegate.sh

# Output: JSON for Agent Zero call_subordinate execution ... FULL_TASK="$TASK" ... "tool": "call_subordinate" ... "message": "$FULL_TASK"

The task/context text is interpolated directly into a JSON tool request without JSON escaping or encoding, so crafted task text could corrupt or alter the downstream subordinate call.

User impactA malformed or adversarial task could change what is sent to a subordinate or cause the agent to use unintended call parameters.

RecommendationGenerate the JSON with a real encoder, validate or allowlist profiles, and require review before executing delegated tool calls.

Rogue Agents

SeverityLowConfidenceMediumStatusNote

README.md

| **Scheduler** | `scheduler_integration.py` | Recurring task scheduling | Zero manual |

Recurring scheduling is documented and purpose-aligned, but it means tasks may continue without manual triggering once configured.

User impactScheduled automation can keep acting after the initial setup if the user enables it.

RecommendationReview any scheduled jobs before enabling them, keep scheduling disabled by default, and add clear controls for stopping or auditing recurring work.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

README.md

git clone https://github.com/nelohenriq/frugal_orchestrator.git

The setup guidance clones a mutable repository reference rather than a pinned tag or commit, so later installs may differ from the reviewed artifact.

User impactA user following the README could install code that is not identical to the reviewed package.

RecommendationPin the installation instructions to a signed release, tag, or commit hash and keep registry source metadata current.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/phase5_automation.sh

git add "$LOG_DIR/token_metrics.json" "$TOON_PATH" docs/phase5_log.md ... git commit -m "Update Phase 5 metrics and TOON file [skip ci]" || true ... git push origin main

This script can mutate a remote Git repository, relying on whatever Git credentials are configured locally, with no credential requirement or confirmation documented in the skill metadata.

User impactIf run, the skill could publish commits to a remote repository under the user's Git identity.

RecommendationMake this an explicit opt-in action, add dry-run and confirmation checks, verify the remote and branch, and declare any Git credential requirements.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/cache_manager.py

DEFAULT_TTL_DAYS = 7 ... data = {'result': result} ... cache_file.write_text(toon_content)

Task results are cached on disk with a default seven-day TTL; this supports token savings but can retain sensitive task outputs for reuse.

User impactSensitive information included in task results may remain in the local cache after the task finishes.

RecommendationAvoid caching sensitive outputs, provide a clear cache-clear option, and document retention and exclusion behavior.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

scripts/delegate.sh

if [[ -n "$CONTEXT" && -f "$CONTEXT" ]]; then FULL_TASK="$TASK\\n\\nContext:\\n$(cat "$CONTEXT")" ... "tool": "call_subordinate"

A provided local context file is embedded into a subordinate-agent message, creating an inter-agent data flow that should be intentional and scoped.

User impactLocal file contents can be forwarded to a subordinate agent if used as context.

RecommendationConfirm context files before delegation, restrict allowed context paths, and warn users not to pass secrets or credential files.