Skillv1.0.0

ClawScan security

Multi-Agent Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 4:28 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, templates, and requirements are internally consistent with a multi-agent orchestration purpose, but it grants broad read/write and shell-style capabilities in its prompts (expected for this use) so you should review platform tool permissions and run it in a safe environment.
Guidance: This skill appears to do what it says (patterns and templates for multi-agent orchestration) and is instruction-only, which lowers supply-chain risk. Before installing or using it, check the following: 1) Tool permissions: confirm what host tools the agent will actually have (Read/Write/Bash/WebFetch/WebSearch). If the agent can run Bash or arbitrary web fetches, restrict those tools or run the orchestrations in a sandbox/test repo. 2) Secrets and sensitive files: do not run this against a repo that contains credentials, private keys, or PII unless you trust the environment and have strict agent tooling limits. 3) Review and approvals: require a human approval step for any pipeline that writes to production branches or runs destructive commands. 4) Budget & concurrency: the templates assume spawning many agents and include budget enforcement — set conservative concurrency and budget limits initially to avoid runaway costs. 5) Provenance: the package metadata has no homepage and an unknown source; if provenance matters, try to verify the author's claims and the cited upstream projects before relying on it in production. If you want a lower-risk test: run the orchestrator templates against a small test repository with all tool access disabled except Read, and with human-in-the-loop gating for any write or shell steps.

Review Dimensions

Purpose & Capability: okThe name/description (multi-agent orchestration) match the SKILL.md and the included templates (fan-out, pipeline, swarm, review cycle). The templates explicitly describe task decomposition, file ownership, file-locking, budget tracking and use of model types; these are expected capabilities for an orchestrator.
Instruction Scope: noteSKILL.md and templates instruct agents to explore the codebase, read and write files under .orchestrator and other repo paths, run stages that list tools including Bash/WebSearch/WebFetch, and produce/aggregate outputs. This is coherent for an orchestrator. However these instructions also enable reading the entire repository and executing shell commands if the host provides such tools — a high-impact capability that could expose secrets or allow destructive actions if tool permissions are not constrained.
Install Mechanism: okInstruction-only skill with no install spec and no code files to execute. No downloads or external install steps are present, which limits the on-disk attack surface.
Credentials: okThe skill requests no environment variables, credentials, or config paths in the registry metadata. The templates reference model names and tools but do not demand unrelated secrets. This is proportionate to its stated purpose.
Persistence & Privilege: okalways:false and normal autonomous invocation settings. The skill does not request permanent presence or attempt to modify other skills or system-wide config in the provided materials.