Agent Collaboration Protocol
ReviewAudited by ClawScan on May 9, 2026.
Overview
This is a coherent multi-agent build workflow, but it intentionally lets subagents write and later integrate project code, so users should review generated changes before activation.
This skill appears safe for its intended use if you want a coordinated backend/frontend build workflow. Use it on a branch or sandbox, provide an explicit build directory, avoid real secrets in specs or logs, review the helper script before running it, and manually inspect/test all generated code before merging or deploying.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated or copied code could break an application or introduce defects if merged or activated without human review.
The skill intentionally has subagents create application code and later instructs activation/integration. This is core to the build workflow, but it can affect a real project if used without review.
Write all backend code to {ABSOLUTE_BUILD_DIR}/backend/ ... Write all frontend code to {ABSOLUTE_BUILD_DIR}/frontend/ ... Step 5: Deploy & ActivateUse a branch or sandbox, keep the build directory scoped, inspect diffs, run tests, and manually approve any copy/deploy step.
Information placed in the shared spec or logs may be visible to multiple spawned agents and may influence their work.
The skill's intended mechanism is inter-agent delegation through a shared filesystem workspace. The workflow is disclosed and scoped, but users should understand that multiple agents will read and write shared artifacts.
Three roles collaborate through a shared workspace ... Spawn two subagents with `sessions_spawn`
Only put task-relevant information in the shared workspace, avoid secrets, and verify each subagent's output before trusting it.
If a user pastes real credentials into the shared contract or logs, those secrets could persist in project files and be exposed to other agents.
The templates include authentication scheme fields. This is expected for backend/frontend integration, but real tokens or cookies should not be written into shared specs or logs.
| Auth Scheme | Bearer JWT / Session cookie / None |
Use placeholders for tokens, document auth flow without real secrets, and redact any credentials from generated files or logs.
Running the helper will create or modify local project files, including a .gitignore if one does not already exist.
A shell helper is included and can write files in a chosen project directory. It is not automatically run by an install spec, and the visible commands are simple workspace initialization steps.
Usage: ./init_collab.sh /path/to/project ... mkdir -p "$SHARED_DIR" ... cat > "$PROJECT_DIR/.gitignore"
Review the script before running it and execute it only against the intended project path.