Agent Team Kit
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a transparent workflow kit, but it encourages autonomous heartbeat-driven agents to spawn other agents and execute queued work without clear approval or containment limits.
Install only if you intentionally want autonomous multi-agent operation. Before merging the heartbeat, set explicit boundaries for what agents may do, require approval for public/external/destructive/account-affecting tasks, limit who can edit process files, avoid logging sensitive DMs or emails, and pin any GitHub source you clone.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, agents may continue launching work and delegating tasks while the user is not supervising, which can cause unwanted actions, cost, or workflow drift.
The heartbeat instructions explicitly create recurring autonomous coordination and agent spawning, but do not define limits such as maximum agents, budgets, stop conditions, or actions that require human approval.
Heartbeat = keep the team running. NOT "check and chill." Spawn agents, keep work flowing. ... If the team isn't working, spawn them.
Before using the heartbeat, define clear schedules, stop conditions, max parallel agents, cost limits, and mandatory human approval for sensitive or high-impact tasks.
A task placed in the Ready queue could be executed by an agent without a fresh human check, even if it affects important files, services, or public outputs.
The Ready queue can contain arbitrary work, but the instruction removes approval requirements without clearly excluding destructive changes, public posting, deployments, account changes, or other high-impact actions.
If it's in Ready, any agent can pick it up. No approval needed.
Require human review before moving high-impact tasks into Ready, and explicitly mark which task types agents may execute without approval.
Sensitive information from messages or emails could be persisted in workspace files, and untrusted or mistaken entries could become future agent tasks.
Private or external inputs can be written into persistent process files that later drive triage and execution, with no clear redaction, trust, retention, or anti-poisoning controls.
Sources of work: User feedback (community channels, DMs, emails) ... Output: Raw ideas logged to `process/OPPORTUNITIES.md` ... Who can add: ANYONE.
Limit who can edit process files, redact sensitive details, define retention rules, and require trusted review before persistent entries become executable Ready tasks.
Users may be nudged to supervise the system less than is appropriate for their environment.
The wording is consistent with the autonomy-focused purpose, but it explicitly encourages user trust and reduced oversight despite the broad autonomous workflow.
The system runs itself. Your job is to trust it.
Treat the phrase as motivational, not as a safety guarantee; keep explicit oversight for sensitive work.
If the user installs from GitHub instead of the reviewed registry artifact, they may receive different or changed content.
The README suggests cloning a remote repository without a pinned commit. This is user-directed and not automatically executed by the submitted package, but it is still a provenance surface.
git clone https://github.com/reflectt/agent-team-kit skills/agent-team-kit
Prefer the reviewed package, or pin and inspect the exact repository commit before cloning.