Squad Control
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is openly built for autonomous task orchestration, but it gives cloud tasks, cron jobs, GitHub tokens, and local agent spawning enough power to change repositories and workflows without much built-in containment.
Install only if you intentionally want Squad Control to drive local OpenClaw agents and modify GitHub repositories. Use the narrowest possible API keys and GitHub PATs, enforce branch protections, avoid automatic merges unless explicitly desired, verify the missing wake-listener script before enabling that flow, and monitor or disable the cron jobs when not in use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mis-scoped or compromised key could let the automation access multiple workspaces and modify private GitHub repositories.
The skill explicitly uses high-impact Squad Control and GitHub credentials, including account-wide access and GitHub tokens supplied by the service. This sensitive authority is also under-declared by the registry metadata, which lists no required env vars or primary credential.
SC_API_KEY ... Can be workspace-scoped (single workspace) or account-scoped (all workspaces) ... GITHUB_TOKEN ... uses the token returned by the Squad Control API (workspace.githubToken) ... clones private repos, pushes code, and creates PRs
Use workspace-scoped Squad Control keys where possible, fine-grained GitHub PATs with minimal repo permissions, trusted SC_API_URL values only, and rotate/revoke tokens regularly. The package metadata should declare these credentials clearly.
If task data, role assignment, or review state is wrong or malicious, code could be merged into the main branch automatically.
The documented workflow tells the agent to merge and push to the default branch based on task metadata and role, without an explicit human approval gate in the artifact.
When the assigned agent has role containing "Lead" or "Orchestrator" AND the task has a PR deliverable, merge the PR to main BEFORE marking complete ... git merge --no-ff ... git push origin "$DEFAULT_BRANCH"
Require explicit human approval for merges, enforce GitHub branch protections and CI checks, and avoid giving this automation tokens that can bypass review requirements.
Users may try to enable a high-privilege listener whose implementation is absent from the reviewed artifacts.
SKILL.md references a wake-listener helper, but the provided file manifest and full sources do not include scripts/wake-listener.sh. That leaves the optional background dispatch path unreviewed or broken.
Wake listener: `scripts/wake-listener.sh`
Do not enable the wake-listener flow unless the exact script is present and reviewed. The package should either include the script or remove the instructions.
The agent may keep polling and acting on new tasks until the cron job is disabled.
The setup creates recurring background automation that checks for and executes tasks. This is disclosed and central to the skill, but it means the agent can continue acting after installation.
openclaw cron add ... --every 5m ... --message "Use the squad-control skill to check for and execute pending tasks."
Monitor `openclaw cron list`, remove or pause the cron job when not needed, and keep credentials scoped to only the repositories and workspaces intended for automation.
Wake signals and local gateway credentials can trigger local worker sessions if the listener is enabled.
The optional wake flow involves a relay/listener and a local authenticated session-spawn endpoint. This is purpose-aligned, but it is a sensitive inter-agent control path.
the listener launches an ACP worker session directly via the local authenticated `POST /api/sessions/spawn` endpoint
Protect the local gateway token, keep the endpoint local/authenticated, use the wake listener only with a trusted Squad Control instance, and audit spawned sessions.
Incorrect, stale, or poisoned saved state could affect later task execution.
The skill intentionally persists task state for later sessions. This is useful for continuity, but persisted state can influence future agent behavior.
Use agentState for continuity ... Save state mid-task via `POST /api/tasks/save-state`.
Avoid saving secrets in agentState, treat saved state as untrusted context, and verify important decisions before acting on reused state.