Back to skill
Skillv1.0.0
ClawScan security
Multi Agent Coordinator Zhuyu28 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 12:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and resource usage are consistent with a multi-agent coordination tool and do not request unrelated credentials or network access.
- Guidance
- This skill appears to do what it says: coordinate agents and persist session state locally. Before installing, consider: (1) the included Python script writes a session JSON file to the current working directory (default: coordination_session.json) — run it where that is acceptable or change the path; (2) review the provided source yourself if you need to ensure no remote calls are added later (currently there are none); (3) there are no requested credentials or network endpoints, so it does not appear to exfiltrate data, but if you intend to run it in an environment with sensitive files, run it in a sandbox or dedicated directory. If you need the coordinator to interact with external services later, expect new environment variables or network calls to require an updated review.
Review Dimensions
- Purpose & Capability
- okName and description match the included files: a coordination patterns reference and a Python coordinator script that creates/updates/loads local coordination sessions. Nothing requested or installed is unrelated to orchestration.
- Instruction Scope
- noteSKILL.md contains the full source and guidance and does not instruct the agent to access external secrets, system-wide config paths, or remote endpoints. The included Python script reads/writes a local JSON session file (coordination_session.json by default), which is expected for this functionality — consider that it will persist session state to the working directory and may overwrite that file if present.
- Install Mechanism
- okNo install spec is provided (instruction-only with included source). No downloads, package installs, or archive extraction are requested.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The code does not access environment variables or external credentials.
- Persistence & Privilege
- okalways is false and the skill does not request permanent platform-wide privileges. Its only persistence is writing a local session JSON file, which is reasonable for its stated purpose.