Skylv Agent Team Coordinator
PassAudited by VirusTotal on May 1, 2026.
Overview
Type: OpenClaw Skill Name: skylv-agent-team-coordinator Version: 1.0.0 The skill bundle provides a framework and architectural patterns for a multi-agent orchestration system. The TypeScript code snippets in SKILL.md demonstrate standard agent logic, including task decomposition, state management, and communication via a message bus. It uses the official OpenAI API endpoint and environment variables for authentication, with no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user turns this sample into a working system with powerful tools, model-generated plans could trigger actions faster than the user expects.
The example design lets an LLM decompose goals into subtasks, schedule them, and expose agent tool definitions. That is aligned with a multi-agent orchestrator, but powerful tools would need explicit approval boundaries.
async execute(goal: string): Promise<string> { ... const plan = await this.decompose(goal); ... const results = await this.schedule(); ... tools: this.config.tools.map(t => t.definition)Limit each agent’s tools, require confirmation for irreversible or external actions, and validate model-generated task plans before execution.
Using this design could consume a user’s OpenAI quota and send task content through that account.
The sample uses an OpenAI API key even though the registry metadata declares no required env vars or primary credential. This is expected for OpenAI integration, but users should notice the account access.
headers: { 'Authorization': `Bearer ${process.env.OPENAI_API_KEY}` }Use a dedicated, least-privileged API key, store it securely as an environment variable, and monitor usage and billing.
Sensitive task details may be retained and later reused, and untrusted stored content could influence future agent behavior.
The sample stores task descriptions and responses in agent memory and reuses retrieved context in later prompts. That is purpose-aligned but creates retention and context-trust considerations.
this.memory = new AgentMemory(config.name); ... const context = await this.memory.buildContext(task.description); ... await this.memory.add({ type: 'semantic', content: task.description + ' -> ' + response.content, importance: 8 });Define memory retention limits, sanitize stored content, track source/provenance, and avoid treating retrieved memory as authoritative instructions.
A misconfigured or untrusted agent could send messages that influence other agents if this design is implemented as-is.
The example message bus relays channel messages to subscribers without showing identity checks, authorization, or schema validation. This is a common simplified pattern, but real multi-agent systems need message boundaries.
publish(channel: string, message: Message) { ... for (const sub of subs) { sub.handler(message); } } ... subscribe(channel: string, handler: (msg: Message) => void)Authenticate agent identities, restrict channel access, validate message schemas, and log message origins.
Users may have less clarity about the exact package identity or version they are installing.
The registry identity differs from the SKILL.md frontmatter, which names the skill "multi-agent-orchestrator" with version 1.0.2. The purpose remains aligned, but the metadata inconsistency is worth verifying.
Name: Skylv Agent Team Coordinator ... Version: 1.0.0 ... Source: unknown ... Homepage: none
Verify the registry entry, repository, and SKILL.md metadata match before relying on this skill in a production workflow.