Agent Orchestrator
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (ignore-previous-instructions); human review is required before treating this skill as clean.
This appears suitable if you intentionally want multi-agent workflows. Before installing, understand that it can spawn multiple OpenClaw sessions, use substantially more tokens, and keep local state previews. Use it on scoped tasks, avoid secrets or untrusted prompt text, and inspect the full source/provenance if you need high assurance. ClawScan detected prompt-injection indicators (ignore-previous-instructions), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a task includes malicious or misleading instructions, spawned agents may repeat or act on that content unless runtime safeguards and user review catch it.
The skill intentionally forwards task content to spawned agents, so untrusted task text can influence downstream agents. The artifacts acknowledge this risk and describe mitigations, making it a disclosed note rather than a concern.
Core risks: - Prompt injection attempts embedded in task input - Unsafe task propagation to spawned sessions
Keep task inputs scoped, avoid embedding secrets or untrusted instructions, and review synthesized outputs before acting on them.
A broad or accidentally large orchestration run could create unnecessary agent sessions, cost more tokens, or take longer than expected.
The visible code spawns one session per configured agent. This is the skill's stated purpose, but it can create many sessions and consume significant tokens if invoked with large counts.
for i in range(self.config.agent_count):
...
agent_id = self.session_manager.spawn_session(Use small agent counts and reasonable timeouts, reserve this skill for complex tasks, and monitor spawned sessions.
Task summaries or output previews may remain on disk and could expose sensitive context if secrets are included in prompts or safe-state is disabled.
The skill keeps local state about tasks or outputs. The documentation says previews are redacted by default, but users should still understand that some workflow context may persist locally.
State files persist redacted previews rather than full task/output payloads.
Do not put secrets in task text, keep ORCHESTRATOR_SAFE_STATE enabled, and delete local state files when no longer needed.
Users have less external context for verifying the maintainer, source repository, or complete capability contract.
The registry metadata does not provide source provenance, a homepage, or derived capability tags. This does not show malicious behavior, but it reduces transparency for a skill that runs orchestration code.
Source: unknown Homepage: none Capability signals: No capability tags were derived.
Review the package contents before installation and prefer a published source repository or maintainer-provided provenance when available.