Agent-manager-for-AI-planner
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for an AI orchestration service, but its run telemetry/read access controls appear weaker than documented and should be reviewed before shared use.
Before installing or deploying, review the read-access authentication behavior, require and validate run tokens, restrict outbound and callback allowlists, keep tool registration disabled unless needed, and enable telemetry redaction for sensitive or shared use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
In a shared deployment, someone with any arbitrary token may be able to access run telemetry or reports if these read routes use this helper.
The read-token helper appears to treat any non-empty X-Run-Token as sufficient, rather than checking it against RUN_TOKENS as parseTokenOwner does. This matters because the skill documents read endpoints for runs, events, streams, replay, reports, and run listing.
if (tokenRequired()) return token ? { ok: true } : { ok: false }; ... return token ? { ok: true } : { ok: false };Validate read tokens against the configured RUN_TOKENS list and enforce run ownership for all run/event/replay/report/list endpoints.
If tool registration or callback allowlists are configured too broadly, plans could invoke external services or send task data outside the service.
The service can register and invoke HTTP callback tools, which is expected for an orchestration kernel but gives external plans a path to trigger tool calls when enabled.
POST /v1/tools/register (only when enabled) ... Callback tools use `callback_url` and enforce `ToolSpec.timeout_ms`.
Keep tool registration disabled unless needed, use strict TOOL_CALLBACK_ALLOWLIST values, and review allowed tools before running third-party plans.
Task content may leave the service and be sent to configured providers or callback endpoints.
The artifact clearly discloses outbound communication with gateways and callback tools, including possible transmission of task and dependency data.
When gateway or callback tools are enabled, task inputs, dependency payloads, and tool payloads may be sent outbound to allowed destinations.
Use minimal allowlists, avoid sending sensitive data unless necessary, and enable telemetry redaction in shared deployments.
Run history, task inputs, and tool results may be retained or exposed through telemetry endpoints.
Replayable telemetry and event history are central to the service, but they may preserve sensitive run context unless redaction is enabled.
GET /v1/run/:id/replay returns stable replay JSON ... Enable `REDACT_TELEMETRY=1` with mode `hash` or `truncate` to redact sensitive event and replay fields
Enable REDACT_TELEMETRY for shared or sensitive use, set appropriate retention limits, and restrict access to replay/report endpoints.
Provider keys or run tokens configured for the service grant access to external AI providers and service runs.
The service can use provider credentials and run tokens from environment variables. This is expected for LLM-provider integration and optional access control, with no supplied evidence of hardcoded or leaked secrets.
GATEWAY_API_KEY: z.string().default(''), OPENAI_API_KEY: z.string().default(''), ANTHROPIC_API_KEY: z.string().default(''), ... RUN_TOKENS: z.string().default('')Use least-privilege provider keys, rotate secrets regularly, and avoid placing broad production credentials in a shared deployment.
Users have less external context for who maintains the service and where updates come from.
The artifact set includes source files and a package lock, but the registry metadata does not provide an upstream source or homepage for provenance verification.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Prefer installing from a verifiable repository or review the included source and lockfile before deployment.