Skill Orchestra
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a broader routing system, this skill could influence which other skills an agent chooses for a task.
The router's catalog includes names of potentially high-impact downstream skills, although the visible code only selects a skill name and does not itself post content or control the desktop.
"twitter-thread": {"type": "content", "domain": "social"...} ... "desktop-control": {"type": "automation", "domain": "desktop"...}Keep normal confirmations and permissions on any downstream skills, especially skills that can post publicly, modify systems, or automate the desktop.
Using the skill runs its bundled Python implementation through the wrapper.
The wrapper dynamically loads the bundled local skill_orchestra.py file. This is a normal wrapper pattern for executing the skill's own implementation, not evidence of hidden remote code execution.
spec.loader.exec_module(module)
Install only versions from a trusted registry or publisher and review bundled code changes when upgrading.
Past recorded success and quality values may influence which skill is selected later in the same runtime.
The performance tracker records execution metrics that can affect later routing choices. The shown data is operational metadata, not task content, credentials, or persistent storage.
self.history[skill_name].append({"timestamp": datetime.now().isoformat(), "success": result.success, "quality": result.quality, "duration": result.duration, "cost": result.cost})Treat routing history as advisory and reset or inspect it if routing behavior becomes unexpected.
There is less external provenance to rely on when deciding whether to trust updates or publisher claims.
The package has limited provenance information, although the provided artifacts do not show remote install scripts, hidden dependencies, or suspicious static-scan findings.
Source: unknown; Homepage: none
Prefer installing from a trusted publisher and re-check the artifacts on version changes.