ClawHub

Agent Orchestrator

v1.0.2

Multi-agent orchestration with 5 proven patterns - Work Crew, Supervisor, Pipeline, Council, and Auto-Routing

0· 627·1 current·1 all-time
byDan@variable190
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe multi-agent orchestration and the code files implement crew, supervise, pipeline, council, and routing patterns that align with that purpose. Declared dependencies (OpenClaw session capabilities) match the implementation. The skill does not request unrelated credentials or external binaries.
!
Instruction Scope
SKILL.md instructs use of the local 'claw' CLI and shows commands that spawn sessions; that matches the code. However, the pre-scan found a prompt-injection pattern ('ignore-previous-instructions') inside SKILL.md. The docs also mention sanitization and safety preambles and a recent changelog entry saying safety text was reworded to reduce scanner false positives — this could be benign maintenance, but it also suggests the author adjusted wording to influence scanners. You should inspect the sanitization code paths (sanitize_untrusted_task and safety preamble logic) to confirm they actually remove or neutralize injection payloads rather than rely on wording alone.
Install Mechanism
There is no external install spec (no network downloads or package installs). The skill ships as Python code in the package; that is a low install surface. No external URLs or extract/install steps are present in the listed metadata.
Credentials
The skill requests no environment variables, no credentials, and no privileged config paths. It relies on OpenClaw session capabilities, which is consistent with its purpose. The README/SECURITY.md explicitly warn not to pass secrets in task text.
Persistence & Privilege
The skill writes local state files by default (e.g., .pipeline_state.json, .router_state.json, .council_state.json). The package claims a safe-state default (ORCHESTRATOR_SAFE_STATE=1) and redaction of keys in persisted previews, which is reasonable for history/state, but you should verify that redaction is effective and that state files do not contain full prompts, outputs, or secrets. always:false (not force-installed) and normal autonomous invocation are defaults and acceptable here.
Scan Findings in Context
[ignore-previous-instructions] unexpected: A prompt-injection signature was found in SKILL.md. This is not expected for a benign CLI-oriented orchestration skill. The project also notes it reworded safety preambles to reduce false positives — this may be an attempt to avoid scanners or simply a documentation tweak. Inspect sanitize_untrusted_task and the safety preamble implementation in utils.py and spawn logic to confirm correct behavior.
What to consider before installing
Summary of what to check before installing: 1) Source and provenance: The skill's homepage is missing and the owner is an opaque ID. If you cannot verify the author (GitHub repo, published package, or community trust), treat it as untrusted until you can inspect the code. 2) Review sanitization and spawn logic: Open utils.py (and any functions named sanitize_untrusted_task, spawn_agent, SessionManager.spawn_session). Confirm that these functions: - Do not forward raw user input into sub-agents without robust sanitization or a safety preamble. - Do not include hidden network endpoints or secrets in sub-agent tasks. - Use an allowlist for OpenClaw subcommands (sessions_spawn, sessions_list, sessions_history) as claimed. 3) Verify persistence behavior: Inspect the state-file writing code to ensure it redacts keys and does not persist full task contents or outputs containing secrets. If you will run in production, keep ORCHESTRATOR_SAFE_STATE=1 and ensure state files are stored in a controlled directory with proper file permissions. 4) Test in a sandbox: Run the skill in an isolated environment and exercise edge cases (malicious-looking inputs) to confirm the sanitization actually prevents prompt injection in spawned sessions. 5) Search the code for network I/O: Grep for requests, urllib, socket, http, or hardcoded URLs/IPs. The docs claim no external network calls, but verify this in the code to be safe. 6) Check for scanner-evasion indicators: The changelog note about rewording safety preambles to reduce false positives is unusual; confirm it did not remove protections. Prefer the explicit sanitization code and tests (tests/security_test_plan.md) over wording in docs. 7) If you need stronger guarantees: require a code review by a trusted developer or only use in non-sensitive contexts. Do not pass secrets or credentials into tasks; run initial evaluations with low-sensitivity inputs. If you want, I can: (A) locate and summarize the sanitize_untrusted_task / spawn_agent code for you, (B) search the repository for network calls and file write paths, or (C) produce a short checklist of concrete grep commands to run locally to validate the points above.

Like a lobster shell, security has layers — review code before you run it.

ai-workflowvk97aamzz0ctp068ykmkkezakg5818qh3automationvk97aamzz0ctp068ykmkkezakg5818qh3latestvk97aamzz0ctp068ykmkkezakg5818qh3multi-agentvk97aamzz0ctp068ykmkkezakg5818qh3orchestrationvk97aamzz0ctp068ykmkkezakg5818qh3productivityvk97aamzz0ctp068ykmkkezakg5818qh3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments