Skill Orchestra
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a purpose-aligned router that selects skills based on task fit and cost, with no artifact evidence of credential use, exfiltration, destructive behavior, or hidden persistence.
This appears safe to install if you want a skill-routing helper. Before relying on it, remember that it may steer work toward other installed skills, so keep approvals enabled for any downstream skill that can post, automate the desktop, or change data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a broader routing system, this skill could influence which other skills an agent chooses for a task.
The router's catalog includes names of potentially high-impact downstream skills, although the visible code only selects a skill name and does not itself post content or control the desktop.
"twitter-thread": {"type": "content", "domain": "social"...} ... "desktop-control": {"type": "automation", "domain": "desktop"...}Keep normal confirmations and permissions on any downstream skills, especially skills that can post publicly, modify systems, or automate the desktop.
Using the skill runs its bundled Python implementation through the wrapper.
The wrapper dynamically loads the bundled local skill_orchestra.py file. This is a normal wrapper pattern for executing the skill's own implementation, not evidence of hidden remote code execution.
spec.loader.exec_module(module)
Install only versions from a trusted registry or publisher and review bundled code changes when upgrading.
Past recorded success and quality values may influence which skill is selected later in the same runtime.
The performance tracker records execution metrics that can affect later routing choices. The shown data is operational metadata, not task content, credentials, or persistent storage.
self.history[skill_name].append({"timestamp": datetime.now().isoformat(), "success": result.success, "quality": result.quality, "duration": result.duration, "cost": result.cost})Treat routing history as advisory and reset or inspect it if routing behavior becomes unexpected.
There is less external provenance to rely on when deciding whether to trust updates or publisher claims.
The package has limited provenance information, although the provided artifacts do not show remote install scripts, hidden dependencies, or suspicious static-scan findings.
Source: unknown; Homepage: none
Prefer installing from a trusted publisher and re-check the artifacts on version changes.