v1.0.4

Reproduce

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:51 AM.

Analysis

This looks like a legitimate sub-agent spawning skill, but it can send task context to external AI providers and delegate powerful tools to child agents, so it should be reviewed before installation.

GuidanceInstall this only if you intentionally want your agent to delegate work to child LLM agents. Before using it, configure limited provider credentials, sanitize progress snapshots, avoid fire-and-forget for sensitive work, and do not pass broad filesystem or write-capable tools to child agents unless you have scoped and approved them.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

File-access tools allow children to read and write arbitrary paths. Only supply tools you would trust the parent to use directly.

The skill supports passing tools to spawned child agents, and the artifacts explicitly acknowledge that file-access tools can grant arbitrary read/write access without artifact-enforced path allowlists or per-action approval.

User impactIf broad tools are delegated to a child agent, the child could read or change local files with the same reach as the parent’s tools.

RecommendationOnly pass narrowly scoped tools to child agents, prefer read-only or allowlisted file access, and require explicit user approval before delegating write-capable or destructive tools.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

manifest.json

"spawn_agents": true, "async_support": true, "max_spawn_depth": 3, "supported_strategies": ["sequential", "parallel-gather", "fire-and-forget"]

The manifest discloses agent spawning, async operation, bounded recursion, and fire-and-forget strategies. This is aligned with the skill purpose but is a capability users should notice.

User impactThe agent may delegate work to child agents, including parallel or less directly monitored work, which can increase cost, data sharing, and operational complexity.

RecommendationUse this skill only when you intentionally want agent delegation; keep the depth limit, avoid fire-and-forget for sensitive tasks, and log or review child-agent outputs.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

manifest.json

"dependencies": { "pip": [ "litellm>=1.40.0" ] }

The skill depends on LiteLLM with a lower-bound version range rather than a pinned version. The dependency is expected for multi-provider model access, but version ranges can change installed code over time.

User impactFuture dependency versions may behave differently from the version the skill author tested.

RecommendationPin and review dependency versions in production environments, and install from trusted package indexes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

manifest.json

"env_note": "At least one provider API key is required at runtime. Which key depends on the model= argument passed to spawn_openclaw()."

The skill requires delegated provider credentials to run child LLM calls. This is expected for the stated purpose, but it uses the user’s provider account and may incur cost or expose account-level privileges.

User impactChild-agent calls may use your LLM provider account, API quota, billing, and any permissions associated with the configured key.

RecommendationUse least-privilege provider keys where possible, set spending limits, avoid broad cloud credentials unless needed, and do not include credentials in payloads or progress snapshots.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

progress_so_far is sent to the provider API and visible to the child agent — sanitize snapshots and strip secrets before spawning.

The skill explicitly transmits parent task context to an external provider and to a child agent. This is disclosed and purpose-aligned, but it creates a sensitive data boundary.

User impactSecrets, personal information, private project details, or sensitive intermediate work could be exposed if included in the progress snapshot.

RecommendationReview and minimize progress_so_far before spawning, remove secrets and personal data, and avoid delegating tasks that require sharing confidential context unless the provider and child agent are trusted.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

progress_so_far is sent to the Anthropic API and injected into the child's context.

The child agent relies on a parent-generated progress snapshot as context. If that snapshot contains untrusted instructions or misleading summaries, the child may over-trust them.

User impactA bad or poisoned snapshot could cause the child agent to follow incorrect assumptions or unsafe instructions embedded in prior context.

RecommendationSummarize only trusted task facts, clearly separate untrusted input from instructions, and avoid copying raw user/web content into child-agent context.