Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multi-Agent Coordinator
v0.1.0Production-ready multi-agent orchestration system for OpenClaw. Implements Coordinator Mode with real parallel worker spawning via sessions_spawn, XML task n...
⭐ 0· 84·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: the package implements a Coordinator and workers and uses a four‑phase workflow. However the code calls an external 'openclaw' CLI (and SKILL.md shows a 'sessions_spawn' command), yet the registry metadata declares no required binaries. The coordinator also creates prompts that instruct spawned workers to use powerful tools (read/edit/bash/web_search), which is coherent with orchestration but should have been declared as a runtime dependency/requirement.
Instruction Scope
SKILL.md and scripts instruct the agent to prepare prompts, spawn real workers, and process XML notifications; the worker prompts explicitly tell workers to use file operations, bash, web_fetch, etc., and to include exact file paths and code snippets in results. That means spawned workers can read and modify repository files and potentially any files accessible to the agent. The instructions also expect collecting and parsing arbitrary XML outputs from workers. The scope is broad and includes actions (file read/write, shell/subprocess invocation, network fetch) that go beyond simple orchestration; this is intended for the feature but increases risk and should be verified.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded automatically. That is lower risk. But the code invokes subprocesses calling an 'openclaw' CLI (and SKILL.md suggests a 'sessions_spawn' tool) which is not declared as a required binary — an undeclared external dependency. No remote archives or installers are present in the package.
Credentials
The skill declares no required environment variables or credentials, which superficially looks minimal. In practice it spawns workers that are instructed to use powerful tools (file I/O, bash, web_fetch, web_search) and persist state under .openclaw/scratchpad. That means sensitive local data (secrets, config files) may be exposed to spawned workers. Also the 'openclaw' CLI the scripts call may require credentials or an environment the package doesn't declare. The lack of declared credentials is not malicious, but the combination of undeclared CLI dependency and broad worker tool access is disproportionate if you expected a lightweight coordinator.
Persistence & Privilege
The skill persists state to .openclaw/scratchpad and coordinator_state.json (expected for an orchestrator) and does not set always:true. It does not appear to modify other skills or global agent settings. Still, persistence of worker prompts/results to the filesystem means sensitive outputs will remain on disk and should be monitored/cleared as needed.
What to consider before installing
This skill is functionally coherent with a multi-agent orchestrator, but take precautions before running it:
- Expect to need the OpenClaw CLI (or equivalent) in PATH: the scripts call subprocess commands like 'openclaw sessions spawn' though the registry metadata claims no required binaries; install and verify the OpenClaw CLI you plan to use first.
- The SKILL.md and code are inconsistent about spawn commands (SKILL.md shows 'sessions_spawn' while code uses 'openclaw sessions spawn'); verify the correct invocation for your environment.
- Spawned workers are explicitly allowed to run file operations, shell commands, and web fetches and are instructed to include concrete file paths and code snippets in outputs — run this skill only in an isolated/sandbox workspace without secrets or sensitive files.
- Review the worker prompt templates and scripts (coordinator_v2.py, coordinator_phase2.py, worker.py) to confirm they do not exfiltrate data to external endpoints you don’t control. The package itself does not contain external network endpoints, but worker prompts could instruct sub-agents to perform web requests.
- Test in a disposable environment first (empty repo, no credentials), and inspect .openclaw/scratchpad after runs. If you need to use in production, consider adding explicit restrictions/sandboxing on spawned workers and ensure the OpenClaw CLI you trust is used.
If you want, I can list the exact lines where subprocess calls are made and point out the files/sections that should be reviewed or edited before use.Like a lobster shell, security has layers — review code before you run it.
latestvk973e3pjyydfyf51mh0dmc23e98417x7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.