Deterministically coordinates autonomous planning and execution across available skills under strict guardrails. Use only when the user explicitly activates this skill by name to run autonomously until a stop command is issued. Trigger keywords include: "use autonomous-skill-orchestrator", "activate autonomous-skill-orchestrator", "start autonomous orchestration".
Security Analysis
medium confidenceThe skill's stated purpose (explicit user-activated orchestrator) mostly matches its instruction set, but it contains a contradictory 'magic word' auto-activation and broad, underspecified abilities to read files and run commands (including copying full source into logs), which creates a meaningful risk that it will access or aggregate sensitive data without the explicit, limited consent the description promises.
Name/description claim a coordinator/orchestrator that runs when explicitly activated. The SKILL.md indeed describes orchestration, planning, delegation and verification — capabilities consistent with the stated purpose. However, the SKILL.md also defines a 'magic word' (ultrawork / ulw) that automatically activates full orchestration when included in any prompt, contradicting the 'explicit activation only' claim and expanding activation surface unexpectedly.
Instructions explicitly allow the orchestrator to 'read files', 'run commands', 'grep/glob', spawn sub-agents and to record 'Full source of all included files' into wisdom logs. Those actions are powerful and broad; the document does not clearly constrain what files/paths are in-scope (project files only vs arbitrary system files) nor how the accumulated content is stored or transmitted. The guidance to copy full source into logs raises a risk of unintended aggregation/exfiltration of secrets or private code.
This is an instruction-only skill with no install spec and no code files to execute. That minimizes disk-side attack surface. There are no downloads or external install steps to evaluate.
The skill declares no required environment variables or config paths, yet the instructions permit reading files and running commands (which can reveal environment variables, credentials in files, and other sensitive state). Because the SKILL.md encourages collecting full file contents and wisdom logs without specifying scope or redaction, the declared lack of required credentials understates the access the skill may exercise at runtime.
always:false (not force-included) and disable-model-invocation:false (agent may invoke autonomously) are reasonable defaults. The main concern is the magic-word auto-activation: although the skill claims it should be used only with explicit activation, the presence of a keyword that can trigger orchestration from ordinary prompts raises the chance of accidental or covert activation. This increases the effective privilege/activation surface even though the skill does not request persistent installation.
Guidance
This skill is not clearly malicious, but it is suspiciously broad. Before installing or enabling it: 1) Ask the author to remove or make the 'ultrawork' magic-word opt-in and document exactly what activation strings the platform will honor. 2) Require strict scoping: limit file-system access to a specified project directory and forbid reading config or home directories. 3) Require redaction rules for wisdom logs (no secrets, no full-source dumps) and explain where logs are stored/transmitted. 4) Test in an isolated environment with no access to real secrets or production systems. 5) Consider denying this skill access to spawn sub-agents or run shell commands unless you trust it and can audit its outputs. If you cannot get clear, written guarantees and small-scope defaults, treat this skill as risky and avoid using it on sensitive projects.
Latest Release
v2.0.0
v2.0 - Three-layer architecture inspired by oh-my-opencode. Planning → Orchestration → Execution. Features: interview phase, category-based delegation, wisdom accumulation, parallel execution, ultrawork magic word
More by @oyi77
Published by @oyi77 on ClawHub
