Clawflow
ReviewAudited by ClawScan on May 10, 2026.
Overview
Clawflow is a coherent multi-agent coordination skill, but it allows recursive agent delegation and broad context sharing without clear built-in limits.
Use this skill only with trusted peer agents and narrow delegation permissions. Before using it on sensitive work, set clear limits for recursion, subtask count, timeouts, and what data may be forwarded or stored in mailbox/task files.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A single task could spread across many agents or levels of delegation, consuming resources and propagating mistakes beyond the user's intended scope.
The skill intentionally supports recursive delegation but does not define an enforced depth, fan-out, budget, or approval limit.
A peer that receives a subtask might itself decompose and coordinate... **Depth limit:** V1 doesn't enforce a max recursion depth.
Add explicit max-depth, max-subtask, timeout, and per-task budget controls, and require user approval before broad or recursive delegation.
Private information included in a task may be copied into messages sent to other agents and then retained in their workspaces.
The protocol encourages forwarding parent context and upstream results to peer agents, but does not define sensitive-data filtering, consent, or data-boundary rules.
Background information the agent received from *its* parent should be forwarded if relevant. When in doubt, include more context rather than less.
Forward the minimum necessary context, restrict allowed peer agents, and require explicit approval before sending secrets, personal data, or confidential business data to another agent.
Task content and results may remain on disk after the immediate session, including sensitive information if the user includes it.
The skill stores raw messages, task state, and results persistently in workspace files.
`mailbox/` ... `archive/` holds processed messages. This is the durable audit trail — OpenClaw session history compacts over time, the mailbox doesn't.
Provide retention and cleanup guidance, and avoid placing secrets or sensitive data in task messages unless persistence is acceptable.
Installing the skill may let an agent initiate work in other configured agents as part of normal task handling.
The skill uses OpenClaw CLI commands to discover peers and dispatch work, which is expected for its orchestration purpose but still grants operational control over other agents.
Run: openclaw agents list ... openclaw agent --agent {subtask.agent} --message "$(cat dispatch.md)"Review the OpenClaw `subagents.allowAgents` configuration and keep delegation limited to trusted agents needed for the task.
If delegation is configured broadly, this skill can route work to many or all available agents.
Delegation authority depends on OpenClaw configuration, and a wildcard configuration would allow broad access to configured agents.
An agent's `subagents.allowAgents` config controls which agents it can delegate to. `["*"]` means it can reach any agent.
Use narrow `subagents.allowAgents` settings instead of wildcards where possible.