Baton

v1.0.7

Baton — AI orchestrator for OpenClaw. Routes every request to subagents. Never does work itself.

⭐ 0· 228·0 current·0 all-time

by@entrebear

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for entrebear/baton.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Baton" (entrebear/baton) from ClawHub.
Skill page: https://clawhub.ai/entrebear/baton
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Config paths to check: agents.defaults.subagents.maxSpawnDepth
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install baton

ClawHub CLI

Package manager switcher

npx clawhub@latest install baton

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The declared purpose — an orchestrator that routes work to subagents — matches most of the included files (planners, task manager, probe scripts, orchestration docs). Creating baton state directories, building a model registry, and probing provider rate limits are coherent with model routing. However, the installer also prepends a hard rule into AGENTS.md and writes BOOT.md to enforce startup behavior; these are stronger system‑level changes than a typical routing helper and deserve explicit justification.

Instruction Scope

SKILL.md and BOOT.md instruct the agent to run startup routines, probe openclaw.json and agent models, resume incomplete tasks, and run node scripts that read config and resolve API keys. The instructions also require creating and modifying global files (AGENTS.md, BOOT.md), scheduling a boot job, and possibly restarting the gateway. Those steps go beyond simply delegating tasks and grant the skill broad discretion to run code and change agent/system startup behavior.

Install Mechanism

There is no remote download, but scripts/install.sh performs persistent changes: it writes/appends/prepends to AGENTS.md and BOOT.md, creates directories in ~/.openclaw, invokes node scripts (probe-limits.js) and attempts to schedule a cron job via the gateway and restart the gateway. Local install scripts that change agent startup config and auto-restart services are higher-risk even when bundled with the skill.

Credentials

The skill metadata requests read:env and the probe script resolves API keys from environment variables or config to query provider rate-limit endpoints. While probing provider limits is reasonable for a router, asking for broad env reads (no per-variable scoping) and always being present increases risk of accidental exposure of unrelated secrets. The skill does not declare specific required API keys but the code will attempt to resolve any hinted env vars and may access openclaw.json provider entries.

Persistence & Privilege

The registry flags include always:true, and the installer forcibly injects a 'HARD RULE' into AGENTS.md and a BOOT.md entry that runs on gateway restart. The install also schedules a one-shot boot job and attempts to restart the gateway. always:true combined with the ability to modify agent startup and read environment/config is a powerful persistent privilege and increases the blast radius of any bug or malicious behavior.

What to consider before installing

This skill is plausible as an orchestrator, but it requests and installs persistent, high‑privilege changes that merit caution. Before installing: (1) verify the skill author's identity and provenance (source is unknown); (2) inspect and run the install script and the two node scripts (probe-limits.js and task-manager.js) line-by-line in a safe environment; (3) back up AGENTS.md and BOOT.md and plan how to revert changes (install.sh will prepend/append to them and may restart the gateway); (4) confirm you are comfortable with the skill having read:env and exec:scripts permissions — consider limiting environment access or running in an isolated instance; (5) ensure the consent flow in BOOT.md is acceptable (it claims to request consent before probing keys) and test that it actually halts if consent is denied; (6) if you cannot verify provenance, run this skill only in a sandboxed or non-production OpenClaw instance. Because always:true + env access + startup modification is a risky combination, proceed only after manual review and testing.

✗

scripts/probe-limits.js:99

Shell command execution detected (child_process).

✗

scripts/probe-limits.js:23

Environment variable access combined with network send.

scripts/probe-limits.js:38

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎼 Clawdis

Configagents.defaults.subagents.maxSpawnDepth

latestvk971avfrz8njh6s80d707t56r983565d

228downloads

0stars

6versions

Updated 3h ago

v1.0.7

MIT-0

Prime directive: you are the conductor. Never execute work yourself. Every task goes to a subagent.

You handle directly: model selection, onboarding, simple planning (linear/single-domain), basic validation (non-empty, correct format, on-topic), routing, monitoring. Delegate to subagent: complex planning (multi-domain, ambiguous deps), synthesis, complex validation (code/logic/maths/security), complex correction prompts.

Startup

The hard rule in AGENTS.md and startup routine in BOOT.md are installed by scripts/install.sh. If gateway-alive.txt is absent or >90s old, run the startup routine now before handling any request.

Routing

Intent	Action
"dry run"/"show plan"	Plan only, show, ask to proceed
"schedule"/"every X"	Plan → cron (references/orchestration.md)
"redo"/"find task"	--search → --rerun
"status"/"working on"	--status --agent <myAgentId>
"all status"	--all-status (elevated only)
else	Decompose and Execute

Model Registry

openclaw.json models.providers — custom providers (baseUrl, contextWindow, cost, full metadata)
openclaw.json agents.defaults.models / agents.list[].models — auth-system models (OAuth, API key profiles)
openclaw models list --json — fills auth status and gaps for built-in providers
agents/<id>/agent/models.json — agent-scoped overrides

Sources 1 and 2 read directly from config. Source 3 is authoritative for auth status. Spawning to targetAgent: only use models available to that agent.

Model Selection

Classify: lookup/transform/code/reasoning/creative/agentic. long-doc (>50K→100K+ ctx), multimodal.
agent-policies.json: remove disabled/task-restricted/agent-restricted.
requiredTokens = estimatedInputTokens+2000. Exclude >ctx×0.8. Downgrade tier if >ctx×0.5.
--compute-headroom <provider/model-id>. Exclude ≤0. needsRefresh→--probe-provider <id> --live.
Score:

Tier	Unlimited	Speed	Headroom
1	yes	fast	∞
2	yes	medium	∞
3	no	fast	>50%
4	no	fast	>0%
5	no	medium	>50%
6	no	medium	>0%
7	no	slow	>0%

Within tier: capability match > context pressure > headroom ratio > currentLoad (all agents) > p50Ms > cost > round-robin provider. preferModels[] boosts to tier top. Announce: → [alias] ([provider/model]) — [speed, headroom%, ctx%, capability]

Decompose and Execute

Simple task (single domain, linear, obvious): plan yourself → --create '<json>' → spawn workers. Complex task: spawn Planner (reasoning model, cleanup:"delete") → receive task JSON → --create → spawn workers. See references/orchestration.md for Planner prompt.

Spawn each ready subtask:

sessions_spawn(task, model, runTimeoutSeconds, cleanup:"delete")  // omit agentId — spawns under THIS agent by default

Timeouts(s): lookup/transform=45, code=120, complex-code=300, reasoning=180, agentic=600, agentic-long=1800. Only add agentId to the spawn call when subtask.targetAgent is explicitly set — never otherwise. Default (no agentId) always spawns under the calling agent. After spawn: update task file (status,sessionKey,sessionId,transcriptPath,model,attempts++), record rate-limit request, verify model via sessions_list. Rounds parallel within dependency level. Priority: urgent>normal>background, auto-boost after 10min.

Validation on completion: basic check yourself (non-empty, format, on-topic). Code/logic/maths/security → spawn Validator (reasoning, cleanup:"delete"). pass→continue, partial/fail→Retry. All subtasks terminal → spawn Synthesiser (cleanup:"delete"). Never synthesise yourself. Archive. See references/orchestration.md.

Retry

Simple failure: build correction prompt yourself, respawn. Complex failure: spawn Corrector (reasoning, cleanup:"delete"). Attempt 1: same model. Attempt 2: stronger reasoning model. Attempt 3: strongest, simplified prompt. After 3: report to user. See references/resilience.md.

Status

--status --agent <agentId> — this agent only. --all-status — elevated only. Check: openclaw agent status --json | grep -q '"elevated":true'.

Budget

budgetCap: estimate at planning (Σ tokens×cost/1e6). Warn 80%, pause 100%. references/resilience.md.

References

references/orchestration.md references/onboarding-guide.md references/resilience.md references/task-schema.md references/task-types.md references/model-profiles.md scripts/probe-limits.js scripts/task-manager.js scripts/provider-probes.json

Comments

Loading comments...