Multi-agent workflow orchestration for OpenClaw. Use when user mentions antfarm, asks to run a multi-step workflow (feature dev, bug fix, security audit), or...
Security Analysis
medium confidenceThe instructions describe a local Node-based workflow system that manages cron jobs, a SQLite DB, and files under ~/.openclaw, but the skill provides no code, no install, and does not declare the runtime or config paths it actually relies on — this mismatch is concerning and should be investigated before use.
The skill claims to orchestrate multi-agent workflows via a local CLI at ~/.openclaw/workspace/antfarm/dist/cli/cli.js (invoked with node). Yet the registry metadata lists no required binaries or config paths and the package includes no code or install step. Requiring a Node runtime and an on-disk workspace is expected for this functionality, but those prerequisites are not declared.
SKILL.md instructs the agent to run commands that manage cron jobs, read/write a shared SQLite DB and operate on files in the user's home (~/.openclaw). It also references a separate 'cron' tool and starting a dashboard (opening a port). Those actions touch system state outside a narrow, read-only query scope and are not declared in the skill metadata.
There is no install spec (instruction-only), which is low risk by itself. However, the instructions assume pre-existing on-disk code under ~/.openclaw/workspace/antfarm; because no code or install step is provided, the skill either expects external setup or will instruct the agent to run commands that don’t exist locally — an incoherence worth clarifying.
The skill declares no environment variables or credentials, but runtime behavior requires access to the user's home directory, crontab, and a local SQLite DB. Those are sensitive resources; the absence of declared config paths or required binaries (e.g., node) is disproportionate to the metadata and could lead to unexpected file/cron/database modifications.
always:false and normal model invocation settings are appropriate. The skill does not request forced-permanent inclusion. The primary concern is not privilege flags but the fact that its instructions manipulate system crons and files if executed.
Guidance
This skill's instructions expect a local Node CLI at ~/.openclaw/workspace/antfarm and will create/manage cron jobs, a SQLite DB, and a dashboard — but the skill bundle includes no code and does not declare Node or those config paths. Before installing or invoking: 1) ask the publisher for the source repository or release tarball so you can review the actual code; 2) verify whether ~/.openclaw/workspace/antfarm exists and inspect its contents; 3) ensure you trust any install/uninstall commands (they may delete DBs or create cron jobs); 4) confirm who/what will run the dashboard and whether it will open network ports; and 5) if you do not have or do not want automatic crontab/DB changes, do not run the install/uninstall or force-trigger commands. The current mismatch between metadata and runtime instructions is concerning and should be resolved before use.
Latest Release
v1.0.0
Initial release of antfarm-workflows: multi-agent workflow orchestration for OpenClaw. - Launches autonomous, cron-driven workflow pipelines (feature dev, bug fix, security audit) using specialized agents. - Provides CLI for workflow management: install/uninstall, run workflows, check status, logs, and dashboard access. - Workflows and steps are fully automated via staggered cron jobs; agents operate independently and coordinate via a shared SQLite database. - Includes documentation for best practices, custom workflow creation, and advanced management commands.
More by @YonghaoZhao722
Published by @YonghaoZhao722 on ClawHub
