ClawHub

Code Orchestrator

v0.1.0

Route and sequence coding tasks by selecting and orchestrating code exploration, planning, writing, debugging, refactoring, security, safe commands, and Git...

0· 14·0 current·0 all-time
by@sf0799
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the SKILL.md: the file's sole job is to choose and sequence other coding skills (explore, architect, write, debug, refactor, security, shell-safe-exec, git-discipline). It does not request unrelated credentials, binaries, or installs.
Instruction Scope
The instructions are limited to deciding which skills to call, in what order, and why. This orchestration delegates potentially sensitive actions (running commands, modifying repo, checking secrets) to the referenced skills (e.g., $shell-safe-exec, $git-discipline). The orchestrator itself does not instruct reading arbitrary host files or contacting external endpoints, but its safety depends on the invoked skills' scopes and permissions.
Install Mechanism
Instruction-only skill with no install spec and no code files that execute — low risk from installation. Included files are a routing reference and a small agent YAML, which do not contain executable install instructions.
Credentials
The skill declares no required environment variables or credentials. Note: actual environment/credential needs will come from the downstream skills it routes to, so those should be reviewed separately.
Persistence & Privilege
always is false and the agent config explicitly sets allow_implicit_invocation: false, so it will not be automatically invoked implicitly. It does not request persistent system presence or modify other skills' configs.
Assessment
This orchestrator is coherent and low-risk by itself because it only chooses and sequences other skills and has no installs or credential requests. Before installing, review the SKILL.md and manifest of each downstream skill it calls (especially $shell-safe-exec and $git-discipline) to confirm they don't request excessive credentials, run arbitrary network downloads, or execute unsafe host-level commands. Also verify the downstream skills' install specs and environment requirements; the orchestrator inherits their risk. The agent YAML's allow_implicit_invocation: false is a helpful safeguard — keep it if you want to avoid implicit activation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bdetf07gd3nqf0fqvw48gad84bp3w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments