ClawHub

Codex Conductor

v1.0.0

Methodical end-to-end software delivery orchestrator for Codex CLI with dual project modes (greenfield for new builds, brownfield for existing systems) and dual execution modes (autonomous and gated). Use when users want full lifecycle delivery with strict stage gates, progress tracking, per-step manual/automated testing, continuous docs updates, change-impact management, and a reusable AGENTS.md workflow for any coding agent.

10· 1.8k·3 current·4 all-time
by@shalomobongo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill describes an orchestrator that dispatches coding agents (codex, claude, opencode, pi) and performs verification. The included scripts (agent_exec.py, generate_gate_prompt.py, references/codex-runbook.md) explicitly invoke those CLIs and expect an OpenClaw CLI wake command. However the skill metadata declares no required binaries or credentials. That omission is inconsistent: a legitimate user will need those agent CLIs, and possibly an openclaw CLI and browser automation tooling, for the orchestrator to work.
Instruction Scope
SKILL.md and the references direct the agent to generate prompts, launch external coding-agent CLIs, run manual browser and CLI checks, update project docs, and update .orchestrator status. This is coherent with an orchestrator: the instructions stay within the stated delivery orchestration purpose. A noteworthy runtime behavior: the orchestrator itself is expected to perform 'manual verification' (run CLI commands and browser checks) which implies the runtime environment must have access to web browsers, test accounts, and possibly credentials; the skill does not document those requirements. Also agent_exec.py will pass large prompt text to external CLI binaries — prompts may contain specs and code, which could be sent to remote cloud services depending on the CLI implementation.
Install Mechanism
There is no external install spec (instruction-only installation) and all code is contained in the package. This is lower risk than remote downloads. The package includes multiple scripts and references; nothing in the repo indicates it will automatically fetch or execute arbitrary remote code during install.
!
Credentials
The skill requests no environment variables or credentials in metadata, yet its runtime requires external coding-agent CLIs and likely test credentials for manual checks. It may rely on credentials/config that exist elsewhere on the host (CLI auth tokens for codex/claude/pi, test user accounts, service API keys). Those are not declared or scoped. Also prompts and specs (including code) will be fed to external CLIs; if those CLIs forward data to cloud services, sensitive project data could be exposed. The lack of declared binaries/credentials in metadata is a proportionality mismatch.
Persistence & Privilege
The skill writes and manages project-local artifacts (docs/*, .orchestrator/status.json and context.json) within the project directory, which is coherent with its purpose. It does not request always:true or claim system-wide modifications. It does spawn external CLIs and writes changelogs/status locally, which is expected behavior for an orchestrator.
What to consider before installing
This orchestrator appears to do what it says, but double-check these before installing or running it: - Required CLIs: The code expects coding-agent CLIs (codex, claude, opencode, pi) and uses an OpenClaw CLI wake command, yet the skill metadata lists no required binaries. Ensure those CLIs are present and that you understand where they send data (local agent vs cloud service). - Secrets/test accounts: The orchestrator's manual/browser checks and some test templates assume test user accounts or service credentials. Do not run this on a host containing production secrets. Prepare isolated test accounts / sandbox environments. - Prompt leakage: Prompts and specs (including code) are passed to external CLIs. If those CLIs call cloud APIs, they may transmit your project content. Avoid including sensitive data in specs/prompts or verify CLI privacy policies. - Subprocess execution: agent_exec.py invokes external binaries via subprocess.run with prompt text; review and control what prompt files will contain to avoid unintentionally executing arbitrary commands or exposing secrets. - Run in a safe environment: Initially run the orchestrator against an empty or isolated test repo so you can observe file writes (.orchestrator, docs/) and external calls. Inspect scripts (agent_exec.py, run_gate.py) in full before use. If you need higher confidence, ask the skill author (or the publisher) to update metadata to declare required binaries and explain expected credentials, or request an explicit README that documents where prompts are sent and what runtime privileges are required.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a9c0483mymthd9rat5d9svx80p5t1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments