Skip to main content

subagent-architecture

Facilitates advanced orchestration of subagents with security isolation and collaboration patterns for robust multi-agent systems.

Install this skill

or
0/100

Security score

The subagent-architecture skill was audited on Feb 28, 2026 and we found 17 security issues across 3 threat categories, including 5 critical. Review the findings below before installing.

Categories Tested

Security Issues

high line 375

Direct command execution function call

SourceSKILL.md
375├─ Tools: exec (curl only)
critical line 945

Direct command execution function call

SourceSKILL.md
945- ❌ No memory limits per spawn (subagent can consume unlimited RAM)
critical line 1039

Direct command execution function call

SourceSKILL.md
1039- Over-specify context in initial spawn (bloated prompts)
critical line 1445

Direct command execution function call

SourceSKILL.md
1445- Memory limits per spawn (prevent individual subagent memory leaks)
critical line 1446

Direct command execution function call

SourceSKILL.md
1446- API call quotas per spawn (prevent runaway costs)
critical line 1447

Direct command execution function call

SourceSKILL.md
1447- Disk space caps per spawn (prevent storage exhaustion)
medium line 282

Template literal with variable interpolation in command context

SourceSKILL.md
282console.log(`Estimated: $${estimate.expected} (range: $${estimate.min}-$${estimate.max})`);
medium line 291

Template literal with variable interpolation in command context

SourceSKILL.md
291console.log(`Quality: ${score.overall_score}/10 (${score.pass ? 'PASS' : 'FAIL'})`);
medium line 1200

Template literal with variable interpolation in command context

SourceSKILL.md
1200console.warn(`⚠️ Pattern has 65% success rate (13/20). Common failure: ${history.top_failure_mode}`)
medium line 1340

Template literal with variable interpolation in command context

SourceSKILL.md
1340task: `Implement skill-x per plan: ${plan.path}`,
medium line 1350

Template literal with variable interpolation in command context

SourceSKILL.md
1350task: `Review implementation: ${implementation.path}`,
medium line 1375

Template literal with variable interpolation in command context

SourceSKILL.md
1375message: `Security review request:\n${JSON.stringify(package)}\n\nFocus: Payment processing, SQL injection, input validation`
medium line 1627

Template literal with variable interpolation in command context

SourceSKILL.md
1627console.log(`${type}: ${(successRate*100).toFixed(1)}% success, $${avgCost.toFixed(2)} avg cost, ${avgValue.toFixed(1)} avg value`);
medium line 16

Webhook reference - potential data exfiltration

SourceSKILL.md
16- name: Discord webhook (peer review flow)
medium line 18

Webhook reference - potential data exfiltration

SourceSKILL.md
18notes: "Only needed if using the federated peer-review pattern. User must supply their own webhook URL manually. No token is stored or auto-configured by this skill."
medium line 65

Webhook reference - potential data exfiltration

SourceSKILL.md
65- **Discord webhooks** — Only used in the federated peer-review pattern. You supply your own token manually. This skill does not store or transmit credentials.
medium line 247

Access to .env file

SourceSKILL.md
247> const SKILL_DIR = path.join(process.env.OPENCLAW_WORKSPACE || process.cwd(), 'skills', 'subagent-architecture');
Scanned on Feb 28, 2026
View Security Dashboard
Installation guide →
GitHub Stars 2.2K
Rate this skill
Categorydevelopment
UpdatedApril 4, 2026
openclawbackendml-ai-engineerbackend-developerdevops-sreproduct-managertechnical-pmdiscorddevelopmentproduct
openclaw/skills