Workhorse Duo

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill is a coherent two-agent workflow, but its bootstrap path can broadly enable agent-to-agent access and all-session visibility, which should be reviewed before use.

Review the bootstrap helper before running it, especially -AutoFixConfig. If you use it, keep the backup, validate the workflow, then narrow agentToAgent.allow and session visibility before delegating sensitive or high-impact tasks.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

A delegated worker may edit files or run commands as part of a task.

Why it was flagged

The execution worker is expected to make changes and run commands. This is central to the skill's purpose, but it is real local mutation/execution authority.

Skill content

Responsible for:
- implementing changes
- running commands/tests
- debugging and iterating

Recommendation

Use narrow task packets that state allowed files, allowed commands, tests to run, and when the worker must stop for approval.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Agent-to-agent permissions may be broader than the user expects for a two-worker workflow.

Why it was flagged

The recommended bootstrap configuration uses a wildcard allow policy instead of limiting delegation to the two named workers, xiaoma and xiaoniu.

Skill content

"agentToAgent": { "enabled": true, "allow": ["*"] }

Recommendation

After validation, replace allow: ["*"] with the narrowest policy that only permits the intended Xiaoma/Xiaoniu routing.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Session context or private information could become visible to worker flows more broadly than necessary.

Why it was flagged

The optional auto-fix writes wildcard agent-to-agent access and all-session visibility into the user's OpenClaw config, expanding cross-agent data boundaries.

Skill content

$config.tools.agentToAgent.allow = @("*")
$config.tools.sessions.visibility = "all"
Set-Content -Path $configPath -Value $json -Encoding UTF8
openclaw gateway restart

Recommendation

Run -AutoFixConfig only if you accept the wider temporary posture, then tighten session visibility and agent-to-agent policy before using the workflow with sensitive tasks.

Low

#ASI10: Rogue Agents

What this means

The worker agents and their configured permissions may remain available after the initial task.

Why it was flagged

The rollback instructions show that bootstrap-created worker agents/config entries persist until the operator removes or restores them.

Skill content

# remove the xiaoma/xiaoniu entries manually from ~/.openclaw/openclaw.json, or restore from backup

Recommendation

Remove the worker agents or restore the backup config when you no longer need this workflow.